VoidStealer bypass targets Chrome encryption safeguards

A new strain of the malware-as-a-service infostealer known as VoidStealer has introduced a technique that allows attackers to extract sensitive data from Google Chrome without relying on privilege escalation or code injection, marking a shift in how browser security defences are being bypassed.

Security researchers tracking the campaign say the updated variant leverages a debugger-based method to defeat Chrome’s Application-Bound Encryption, a protection designed to secure stored credentials and cookies. Instead of exploiting system-level vulnerabilities or injecting malicious code into browser processes, the malware uses hardware breakpoints to access encryption keys directly from memory while Chrome is running.

The approach centres on retrieving the browser’s so-called “v20masterkey”, which underpins Chrome’s encryption model for safeguarding user data. By targeting this key in memory, attackers can decrypt stored credentials, session cookies and other sensitive information without triggering conventional detection mechanisms associated with more intrusive techniques.

Analysts describe the development as a notable escalation in the evolution of infostealers, which have become a dominant threat vector in cybercrime ecosystems. VoidStealer, like other MaaS offerings, is distributed through underground marketplaces where operators provide ready-made tools to affiliates in exchange for subscription fees or a share of proceeds. This model has accelerated the spread of sophisticated malware capabilities among less technically skilled actors.

Traditional methods used to bypass Chrome’s ABE typically involved gaining elevated privileges, often by exploiting operating system weaknesses, or injecting malicious code into browser processes to intercept encryption routines. Both approaches tend to leave detectable traces, increasing the likelihood of being flagged by endpoint protection systems. The debugger-based technique reduces that footprint by interacting with the browser in a more indirect manner, complicating detection efforts.

Cybersecurity experts note that hardware breakpoints, commonly used in software debugging, allow precise monitoring of memory access without altering program execution in obvious ways. By repurposing this legitimate feature, attackers can observe when Chrome accesses sensitive data and capture encryption keys at the moment they are processed, effectively sidestepping built-in safeguards.

The emergence of this method underscores the growing sophistication of infostealer campaigns, which have increasingly focused on browser data as a primary target. Stolen credentials and session tokens are widely traded on cybercrime forums, enabling account takeovers, financial fraud and further network intrusions. The ability to bypass ABE without elevated privileges lowers the barrier for attackers, potentially expanding the scale of such operations.

Industry observers highlight that Chrome’s Application-Bound Encryption was introduced to strengthen protection against precisely these types of threats by binding encryption keys to specific applications and system contexts. While the mechanism remains effective against many attack vectors, the VoidStealer technique demonstrates that runtime memory access remains a viable avenue for adversaries.

The broader context reflects a surge in MaaS-driven activity, where developers continuously refine tools to evade detection and improve reliability. Infostealers have evolved from relatively simple password grabbers into complex frameworks capable of harvesting browser data, cryptocurrency wallets and system information. The integration of advanced evasion tactics, including debugger-based methods, signals a shift towards more stealth-oriented operations.

Security firms monitoring the campaign have also pointed to the rapid dissemination of such techniques within cybercriminal communities. Once a new bypass method is demonstrated, it is often incorporated into multiple malware families, increasing the overall threat landscape. This pattern has been observed with earlier innovations in credential theft and browser exploitation.

Defensive strategies are likely to require a combination of behavioural monitoring and memory analysis to detect anomalies associated with such attacks. Traditional signature-based approaches may struggle to identify debugger-based activity, particularly when it mimics legitimate development tools. As a result, endpoint security vendors are expected to focus on identifying unusual patterns of memory access and debugging behaviour within production environments.

Enterprises are also being advised to adopt stricter controls around browser usage, including limiting the storage of sensitive credentials and implementing multi-factor authentication to mitigate the impact of stolen data. Regular updates to browsers and operating systems remain essential, although the nature of this technique suggests that patching alone may not fully address the risk.