An data stealer referred to as VoidStealer makes use of a brand new strategy to bypass Chrome’s Software-Sure Encryption (ABE) and extract the grasp key for decrypting delicate knowledge saved within the browser.
The novel technique is stealthier and depends on {hardware} breakpoints to extract the v20_master_key, used for each encryption and decryption, instantly from the browser’s reminiscence, with out requiring privilege escalation or code injection.
A report from Gen Digital, the dad or mum firm behind the Norton, Avast, AVG, and Avira manufacturers, notes that that is the primary case of an infostealer noticed within the wild to make use of such a mechanism.
Google launched ABE in Chrome 127, launched in June 2024, as a brand new safety mechanism for cookies and different delicate browser knowledge. It ensures that the grasp key stays encrypted on disk and can’t be recovered via regular user-level entry.
Decrypting the important thing requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting course of.
Supply: Gen Digital
Nevertheless, this system has been bypassed by a number of infostealer malware households and has even been demonstrated in open-source instruments. Though Google carried out fixes and enhancements to dam these bypasses, new malware variations reportedly continued to succeed utilizing different strategies.
“VoidStealer is the primary infostealer noticed within the wild adopting a novel debugger-based Software-Sure Encryption (ABE) bypass method that leverages {hardware} breakpoints to extract the v20_master_key instantly from browser reminiscence,” says Vojtěch Krejsa, menace researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform marketed on darkish net boards since at the very least mid-December 2025. The malware launched the brand new ABE bypass mechanism in model 2.0.
.webp)
Supply: Gen Digital
Stealing the grasp key
VoidStealer’s trick to extract the grasp secret is to focus on a brief second when Chrome’s v20_master_key is briefly current in reminiscence in plaintext state throughout decryption operations.
Particularly, VoidStealer begins a suspended and hidden browser course of, attaches it as a debugger, and waits for the goal browser DLL (chrome.dll or msedge.dll) to load.
When loaded, it scans the DLL for a particular string and the LEA instruction that references it, utilizing that instruction’s deal with because the {hardware} breakpoint goal.
Supply: Gen Digital
Subsequent, it units that breakpoint throughout current and newly created browser threads, waits for it to set off throughout startup whereas the browser is decrypting protected knowledge, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with ‘ReadProcessMemory.’
Gen Digital explains that the perfect time for the malware to do that is throughout browser startup, when the applying masses ABE-protected cookies early, forcing the decryption of the grasp key.
The researchers defined that VoidStealer probably didn’t invent this system however fairly adopted it from the open-source venture ‘ElevationKatz,’ a part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.
Though there are some variations within the code, the implementation seems to be primarily based on ElevationKatz, which has been accessible for greater than a yr.
BleepingComputer has contacted Google with a request for a touch upon this bypass technique being utilized by menace actors, however a reply was not accessible by publishing time.
Malware is getting smarter. The Purple Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
