Today's cybersecurity headlines are brought to you by ThreatPerspective

VoidStealer: A Sophisticated Infostealer Malware that Exploits Chrome's Application-Bound Encryption (ABE) Bypass Mechanism

VoidStealer: A new infostealer malware has been discovered that exploits Google Chrome's Application-Bound Encryption (ABE) bypass mechanism, allowing it to steal sensitive data stored in the browser. This sophisticated approach highlights the ongoing battle between cybercriminals and security researchers.

A recent discovery by threat researchers at Gen Digital has shed light on a sophisticated infostealer malware known as VoidStealer. This malicious software has been found to steal the master key used for decrypting sensitive data stored in Google Chrome, exploiting a previously unknown Application-Bound Encryption (ABE) bypass mechanism.

VoidStealer is a malware-as-a-service (MaaS) platform that has been advertised on dark web forums since mid-December 2025. The malware introduced the new ABE bypass mechanism in version 2.0, leveraging hardware breakpoints to extract the v20_master_key directly from browser memory without requiring privilege escalation or code injection.

According to Gen Digital's threat researcher, Vojtěch Krejsa, "VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory." This sophisticated approach allows VoidStealer to bypass Chrome's ABE protection mechanism, which was introduced in June 2024 as a new protection measure for cookies and other sensitive browser data.

The ABE system ensures that the master key remains encrypted on disk and cannot be recovered through normal user-level access. Decrypting the key requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting process. However, VoidStealer has found a way to exploit this mechanism by targeting a short moment when Chrome's v20_master_key is briefly present in memory in plaintext state during decryption operations.

VoidStealer achieves this by starting a suspended and hidden browser process, attaching it as a debugger, and waiting for the target browser DLL (chrome.dll or msedge.dll) to load. Once loaded, it scans the DLL for a specific string and the LEA instruction that references it, using that instruction's address as the hardware breakpoint target.

Next, VoidStealer sets the breakpoint across existing and newly created browser threads, waits for it to trigger during startup while the browser is decrypting protected data, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with 'ReadProcessMemory.'

Gen Digital explains that the ideal time for VoidStealer to do this is during browser startup, when the application loads ABE-protected cookies early, forcing the decryption of the master key. The researchers also noted that VoidStealer likely did not invent this technique but rather adopted it from the open-source project 'ElevationKatz,' part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.

Although there are some differences in the code, the implementation appears to be based on ElevationKatz, which has been available for more than a year. BleepingComputer has contacted Google with a request for a comment on this bypass method being used by threat actors, but a reply was not available by publishing time.

This sophisticated infostealer malware exploit highlights the ongoing cat-and-mouse game between cybercriminals and security researchers. As security measures become more complex, it is essential to stay vigilant and adapt our defenses to counter emerging threats like VoidStealer.