An data stealer referred to as VoidStealer makes use of a brand new strategy to bypass Chrome’s Utility-Certain Encryption (ABE) and extract the grasp key for decrypting delicate information saved within the browser.
The novel technique is stealthier and depends on {hardware} breakpoints to extract the v20_master_key, used for each encryption and decryption, straight from the browser’s reminiscence, with out requiring privilege escalation or code injection.
A report from Gen Digital, the mum or dad firm behind the Norton, Avast, AVG, and Avira manufacturers, notes that that is the primary case of an infostealer noticed within the wild to make use of such a mechanism.
Google launched ABE in Chrome 127, launched in June 2024, as a brand new safety mechanism for cookies and different delicate browser information. It ensures that the grasp key stays encrypted on disk and can’t be recovered by means of regular user-level entry.
Decrypting the important thing requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting course of.
Supply: Gen Digital
Nevertheless, this system has been bypassed by a number of infostealer malware households and has even been demonstrated in open-source instruments. Though Google applied fixes and enhancements to dam these bypasses, new malware variations reportedly continued to succeed utilizing different strategies.
“VoidStealer is the primary infostealer noticed within the wild adopting a novel debugger-based Utility-Certain Encryption (ABE) bypass method that leverages {hardware} breakpoints to extract the v20_master_key straight from browser reminiscence,” says Vojtěch Krejsa, risk researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform marketed on darkish net boards since at the very least mid-December 2025. The malware launched the brand new ABE bypass mechanism in model 2.0.
.webp)
Supply: Gen Digital
Stealing the grasp key
VoidStealer’s trick to extract the grasp secret is to focus on a brief second when Chrome’s v20_master_key is briefly current in reminiscence in plaintext state throughout decryption operations.
Particularly, VoidStealer begins a suspended and hidden browser course of, attaches it as a debugger, and waits for the goal browser DLL (chrome.dll or msedge.dll) to load.
When loaded, it scans the DLL for a selected string and the LEA instruction that references it, utilizing that instruction’s deal with because the {hardware} breakpoint goal.
Supply: Gen Digital
Subsequent, it units that breakpoint throughout current and newly created browser threads, waits for it to set off throughout startup whereas the browser is decrypting protected information, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with ‘ReadProcessMemory.’
Gen Digital explains that the perfect time for the malware to do that is throughout browser startup, when the applying masses ABE-protected cookies early, forcing the decryption of the grasp key.
The researchers defined that VoidStealer seemingly didn’t invent this method however moderately adopted it from the open-source undertaking ‘ElevationKatz,’ a part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.
Though there are some variations within the code, the implementation seems to be based mostly on ElevationKatz, which has been out there for greater than a 12 months.
BleepingComputer has contacted Google with a request for a touch upon this bypass technique being utilized by risk actors, however a reply was not out there by publishing time.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your safety stack is blinded.
