VoidStealer Bypasses Chrome ABE Without Injection or Elevated Privileges

VoidStealer Bypasses Chrome ABE Without Injection or Elevated Privileges | Quick Digest
VoidStealer, a new info-stealer, bypasses Google Chrome's Application-Bound Encryption (ABE) without requiring code injection or elevated privileges. It uses a novel debugger-based technique with hardware breakpoints to extract the master encryption key from browser memory. This stealthier method, identified in VoidStealer version 2.0, poses a significant threat to browser data security.

Key Highlights

  • VoidStealer bypasses Chrome ABE via novel debugger technique.
  • Hardware breakpoints used to extract master encryption key.
  • No privilege escalation or code injection required, making it stealthy.
  • Targets Chromium-based browsers like Chrome and Edge.
  • Malware-as-a-Service (MaaS) advertised on dark web forums.
  • Version 2.0 introduced this advanced bypass method.
VoidStealer, an emerging information stealer, has garnered significant attention in the cybersecurity community due to its novel method of bypassing Google Chrome's Application-Bound Encryption (ABE). This sophisticated malware can steal sensitive browser secrets, including passwords and cookies, without requiring traditional code injection or elevated system privileges, making it particularly stealthy and difficult to detect. The core of VoidStealer's bypass mechanism lies in a debugger-based technique that leverages hardware breakpoints. Introduced in version 2.0 of the malware, around March 13, 2026, this method exploits a critical, albeit brief, moment when Chrome's `v20_master_key` – the master encryption key used for decrypting sensitive user data – is present in plaintext within the browser's memory. When a Chromium-based browser, such as Google Chrome or Microsoft Edge, starts up, it must temporarily load and decrypt the `v20_master_key` to access protected data like stored cookies and login credentials. VoidStealer capitalizes on this fleeting exposure window. The malware initiates a hidden and suspended browser process using standard Windows APIs like `CreateProcessW` with `SW_HIDE` and `CREATE_SUSPENDED` flags. It then immediately resumes the main thread and attaches itself as a debugger to this newly spawned process via `DebugActiveProcess`. After attaching as a debugger, VoidStealer continuously monitors debug events. Once the primary browser dynamic-link library (DLL), such as `chrome.dll` or `msedge.dll`, is loaded into memory, the malware scans its `.rdata` section for a specific string: `OSCrypt.AppBoundProvider.Decrypt.ResultCode`. This string indicates the precise location in Chrome's code where the `v20_master_key` temporarily appears in its plaintext form. Subsequently, VoidStealer scans the `.text` section to pinpoint the corresponding LEA instruction, which serves as the exact target address for setting a hardware breakpoint. Unlike software breakpoints, hardware breakpoints do not require modifying the browser's memory, further contributing to the malware's stealth. VoidStealer sets these hardware breakpoints across all browser threads by manipulating debug registers (DR0 and DR7) through `SetThreadContext`. When the browser's decryption process hits this breakpoint, the malware intercepts the execution, reads the processor registers, and extracts the `v20_master_key` directly from memory using simple memory-read commands. This technique is particularly dangerous because it avoids actions commonly flagged by traditional endpoint security solutions, such as code injection or requests for elevated privileges. Instead, it utilizes legitimate Windows debugging APIs, making its activities appear less suspicious in typical environments. This significantly lowers its detection footprint, posing a considerable challenge for cybersecurity defenses. Researchers at Gen Digital, the parent company of cybersecurity brands like Norton, Avast, AVG, and Avira, were instrumental in identifying and analyzing this novel bypass method. They noted that while VoidStealer is the first infostealer observed in the wild employing this specific technique, the underlying method was adapted from the publicly available open-source project 'ElevationKatz'. This project, developed by Meckazin (also behind CookieKatz and CredentialKatz), demonstrates weaknesses in Chrome's ABE and has been public for over half a year. VoidStealer operates as a Malware-as-a-Service (MaaS) platform, actively advertised and sold on dark web forums since at least mid-December 2025. Its rapid evolution, with version 2.0 introducing this advanced bypass, indicates active and ongoing development by its creators. The implications of this new variant are global, affecting individuals and organizations worldwide who rely on Chromium-based browsers for sensitive activities. Compromised credentials, session tokens, and other sensitive data could lead to account takeovers, further data breaches, and lateral movement within corporate networks. To mitigate the risk, security professionals recommend monitoring for unusual debugging events, suspicious browser memory reads, browsers launching with hidden windows, and unauthorized attempts to access browser memory. The emergence of VoidStealer highlights the continuous arms race between browser security mechanisms like ABE and evolving malware techniques.

Frequently Asked Questions

What is VoidStealer?

VoidStealer is a sophisticated information-stealing malware (infostealer) that specifically targets Chromium-based browsers like Google Chrome and Microsoft Edge to steal sensitive data such as saved passwords, cookies, and credit card information. It operates as a Malware-as-a-Service (MaaS) and has been observed in the wild since late 2025.

How does VoidStealer bypass Chrome's Application-Bound Encryption (ABE)?

VoidStealer version 2.0 bypasses Chrome's ABE using a novel debugger-based technique. It spawns a hidden browser process, attaches itself as a debugger, and sets hardware breakpoints at a precise moment when the `v20_master_key` (Chrome's master encryption key) is briefly exposed in plaintext memory during browser startup. It then extracts this key without requiring code injection or elevated system privileges.

Why is this bypass technique considered significant and dangerous?

This technique is significant because it's stealthier than previous ABE bypass methods. By avoiding code injection and privilege escalation, VoidStealer can evade detection by many traditional endpoint security solutions that look for these common malicious activities. This makes it harder for users and organizations to identify and mitigate the threat.

What kind of information can VoidStealer steal?

VoidStealer is designed to steal sensitive data protected by Chrome's ABE, primarily the `v20_master_key`. Once this key is compromised, the malware can decrypt and exfiltrate various browser secrets, including login credentials (usernames and passwords), session cookies, and potentially autofill data like credit card information.

What can users do to protect themselves from VoidStealer and similar threats?

Protection involves using robust antivirus/anti-malware software, keeping browsers and operating systems updated, being wary of suspicious downloads and links, and enabling multi-factor authentication (MFA) on online accounts. For organizations, monitoring for unusual debugging events, suspicious memory reads, and hidden browser process launches is crucial for early detection.

Read Full Story on Quick Digest