An info stealer referred to as VoidStealer makes use of a brand new method to bypass Chrome’s Utility-Sure Encryption (ABE) and extract the grasp key for decrypting delicate knowledge saved within the browser.
The novel methodology is stealthier and depends on {hardware} breakpoints to extract the v20_master_key, used for each encryption and decryption, instantly from the browser’s reminiscence, with out requiring privilege escalation or code injection.
A report from Gen Digital, the father or mother firm behind the Norton, Avast, AVG, and Avira manufacturers, notes that that is the primary case of an infostealer noticed within the wild to make use of such a mechanism.
Google launched ABE in Chrome 127, launched in June 2024, as a brand new safety mechanism for cookies and different delicate browser knowledge. It ensures that the grasp key stays encrypted on disk and can’t be recovered by way of regular user-level entry.
Decrypting the important thing requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting course of.
Supply: Gen Digital
Nevertheless, this system has been bypassed by a number of infostealer malware households and has even been demonstrated in open-source instruments. Though Google applied fixes and enhancements to dam these bypasses, new malware variations reportedly continued to succeed utilizing different strategies.
“VoidStealer is the primary infostealer noticed within the wild adopting a novel debugger-based Utility-Sure Encryption (ABE) bypass method that leverages {hardware} breakpoints to extract the v20_master_key instantly from browser reminiscence,” says Vojtěch Krejsa, risk researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform marketed on darkish net boards since a minimum of mid-December 2025. The malware launched the brand new ABE bypass mechanism in model 2.0.
.webp)
Supply: Gen Digital
Stealing the grasp key
VoidStealer’s trick to extract the grasp secret’s to focus on a brief second when Chrome’s v20_master_key is briefly current in reminiscence in plaintext state throughout decryption operations.
Particularly, VoidStealer begins a suspended and hidden browser course of, attaches it as a debugger, and waits for the goal browser DLL (chrome.dll or msedge.dll) to load.
When loaded, it scans the DLL for a particular string and the LEA instruction that references it, utilizing that instruction’s tackle because the {hardware} breakpoint goal.
Supply: Gen Digital
Subsequent, it units that breakpoint throughout current and newly created browser threads, waits for it to set off throughout startup whereas the browser is decrypting protected knowledge, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with ‘ReadProcessMemory.’
Gen Digital explains that the perfect time for the malware to do that is throughout browser startup, when the applying hundreds ABE-protected cookies early, forcing the decryption of the grasp key.
The researchers defined that VoidStealer possible didn’t invent this method however somewhat adopted it from the open-source mission ‘ElevationKatz,’ a part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.
Though there are some variations within the code, the implementation seems to be primarily based on ElevationKatz, which has been obtainable for greater than a 12 months.
BleepingComputer has contacted Google with a request for a touch upon this bypass methodology being utilized by risk actors, however a reply was not obtainable by publishing time.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
