What happened
Researchers uncovered a new infostealer called VoidStealer that uses a novel debugger-based technique to bypass Google Chrome’s Application-Bound Encryption (ABE) and extract the browser’s master encryption key directly from memory. Instead of relying on privilege escalation or code injection, the malware attaches itself as a debugger to a Chrome process and sets hardware breakpoints to capture the v20_master_key at the exact moment it is decrypted in memory. This method allows attackers to decrypt sensitive data such as saved passwords, cookies, and other browser-stored information. Researchers noted this is the first observed infostealer in the wild using this stealthier technique, which significantly reduces detection compared to traditional approaches.
Who is affected
Users of Google Chrome and other Chromium-based browsers on Windows systems are affected, particularly if infected by malware capable of attaching to browser processes and extracting sensitive data.
Why CISOs should care
The technique demonstrates how infostealers are evolving to bypass modern browser protections without triggering common security alerts, increasing the risk of credential theft and session hijacking across enterprise environments.
3 practical actions
- Monitor for debugger attachment to browsers. Unexpected use of debugging APIs like DebugActiveProcess on Chrome processes is a strong indicator of compromise.
- Detect abnormal memory access patterns. Watch for unauthorized processes reading browser memory using functions like ReadProcessMemory.
- Harden endpoint protection beyond signatures. Behavioral detection is critical as this technique avoids traditional injection-based detection triggers.
For more coverage of malicious code, infostealers, and evolving attack techniques, explore our reporting under the Malware tag.
