VoidStealer Infostealer Bypasses Chrome’s App-Bound Encryption with Debugger-Based Attack
A newly discovered infostealer, VoidStealer, has evaded Google Chrome’s App-Bound Encryption (ABE) a security feature introduced in Chrome 127 (July 2024) using a sophisticated debugger-based technique. The malware silently extracts session cookies, saved passwords, and payment data without requiring elevated privileges or code injection, marking a significant escalation in credential-stealing threats.
How ABE Was Designed to Work
Before ABE, Chrome relied on Windows’ Data Protection API (DPAPI), which allowed any user-level malware to decrypt stored browser data. ABE addressed this by delegating encryption key protection to Google Chrome Elevation Service, a system-level process that validates requesting applications before releasing the v20_master_key the AES-GCM key securing all sensitive browser data.
The Bypass: A Cat-and-Mouse Game
ABE’s protections were quickly undermined. By October 2024, researchers confirmed bypasses by Meduza Stealer, Lumma Stealer, Whitesnake, and Lumar, with open-source tools like Chrome-App-Bound-Encryption-Decryption demonstrating viable attack methods. Google’s patches prompted stealer developers to refine their techniques, leading to VoidStealer’s breakthrough.
VoidStealer’s Debugger-Based Attack
First advertised on dark web forums in December 2025, VoidStealer evolved through 11 versions before introducing its ABE bypass in version 2.0 (March 13, 2026). Researchers at Gen Digital (parent company of Norton, Avast, and Avira) confirmed it as the first infostealer in the wild to use this method.
The attack works by:
- Spawning a hidden Chrome/Edge process in a suspended state.
- Attaching as a debugger via
DebugActiveProcess, monitoring forLOAD_DLL_DEBUG_EVENT. - Scanning memory for the string
OSCrypt.AppBoundProvider.Decrypt.ResultCodethe exact location where the v20_master_key briefly appears in plaintext. - Setting hardware breakpoints (to avoid detection) and extracting the key from R14 (Edge) or R15 (Chrome) registers with just two
ReadProcessMemorycalls.
The technique was adapted from the open-source ElevationKatz project, part of the ChromeKatz toolset, which has been publicly available for over six months.
Impact and Scope
VoidStealer operates as a Malware-as-a-Service (MaaS), allowing criminal affiliates to deploy it without coding expertise. While currently targeting Chrome and Microsoft Edge, the method is extensible to all Chromium-based browsers, including Brave, Opera, and Vivaldi.
Detection and Mitigation
Legitimate applications do not debug browsers autonomously, making debugger attachment a high-fidelity detection signal. Defenders are advised to monitor for:
- Processes using
DebugActiveProcesson browser instances. - Hidden browser launches (
SW_HIDEor headless flags). - Unprompted
ReadProcessMemorycalls againstchrome.exeormsedge.exe.
The discovery underscores the rapid evolution of infostealer tactics in response to browser security enhancements.
Source: https://cyberpress.org/voidstealer-bypasses-chrome-protection/
Google cybersecurity rating report: https://www.rankiteo.com/company/google
"id": "GOO1779200764",
"linkid": "google",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Technology, Internet Browsers',
'location': 'Global',
'name': 'Google Chrome Users',
'type': 'Software Users'},
{'industry': 'Technology, Internet Browsers',
'location': 'Global',
'name': 'Microsoft Edge Users',
'type': 'Software Users'}],
'attack_vector': 'Debugger-Based Memory Scanning',
'customer_advisories': 'Users should update their browsers to the latest '
'version and enable enhanced security features to '
'mitigate credential theft risks.',
'data_breach': {'data_encryption': 'Bypassed (ABE encryption)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, Payment Information)',
'type_of_data_compromised': ['Session cookies',
'Saved passwords',
'Payment data']},
'date_detected': '2026-03-13',
'date_publicly_disclosed': '2026-03-13',
'description': 'A newly discovered infostealer, VoidStealer, has evaded '
'Google Chrome’s App-Bound Encryption (ABE) using a '
'debugger-based technique to silently extract session cookies, '
'saved passwords, and payment data without requiring elevated '
'privileges or code injection.',
'impact': {'brand_reputation_impact': 'Potential erosion of trust in browser '
'security',
'data_compromised': 'Session cookies, saved passwords, payment '
'data',
'identity_theft_risk': 'High (PII and payment information '
'exposure)',
'operational_impact': 'Unauthorized access to sensitive user data',
'payment_information_risk': 'High',
'systems_affected': 'Google Chrome, Microsoft Edge, and other '
'Chromium-based browsers (Brave, Opera, '
'Vivaldi)'},
'initial_access_broker': {'data_sold_on_dark_web': 'Yes (VoidStealer operates '
'as MaaS)'},
'investigation_status': 'Confirmed',
'lessons_learned': 'Browser security enhancements like ABE are rapidly '
'bypassed by advanced malware techniques. Debugger-based '
'attacks represent a significant escalation in '
'credential-stealing threats.',
'motivation': 'Financial Gain (Credential Theft, Data Exfiltration)',
'post_incident_analysis': {'corrective_actions': 'Improve memory protection '
'mechanisms for encryption '
'keys and enhance detection '
'of debugger-based attacks.',
'root_causes': 'Insufficient protection of '
'encryption keys in memory during '
'browser processes, allowing '
'debugger-based extraction.'},
'recommendations': ['Monitor for processes using DebugActiveProcess on '
'browser instances.',
'Detect hidden browser launches (SW_HIDE or headless '
'flags).',
'Monitor unprompted ReadProcessMemory calls against '
'chrome.exe or msedge.exe.',
'Patch browser vulnerabilities promptly.',
'Enhance detection for debugger-based attack techniques.'],
'references': [{'date_accessed': '2026-03-13',
'source': 'Gen Digital Research'},
{'date_accessed': '2025-12',
'source': 'Dark Web Forums (VoidStealer Advertisement)'},
{'source': 'ChromeKatz Toolset (ElevationKatz Project)'}],
'response': {'containment_measures': 'Monitor for debugger attachments and '
'hidden browser processes',
'enhanced_monitoring': 'Monitor for DebugActiveProcess usage and '
'ReadProcessMemory calls against browser '
'processes',
'remediation_measures': 'Patch browser vulnerabilities, enhance '
'detection for debugger-based attacks',
'third_party_assistance': 'Gen Digital (Norton, Avast, Avira)'},
'stakeholder_advisories': 'Defenders should monitor for debugger attachments '
'and hidden browser processes as high-fidelity '
'detection signals.',
'threat_actor': 'VoidStealer Malware-as-a-Service (MaaS) Operators',
'title': 'VoidStealer Infostealer Bypasses Chrome’s App-Bound Encryption with '
'Debugger-Based Attack',
'type': 'Infostealer Attack',
'vulnerability_exploited': 'Chrome’s App-Bound Encryption (ABE) Bypass'}