An information stealer called VoidStealer has introduced a new technique to bypass Chrome's Application-Bound Encryption by leveraging hardware breakpoints to extract the master key directly from browser memory. This method represents the first observed instance of an infostealer employing such a debugger-based approach in the wild, according to researchers at Gen Digital. Chrome's ABE protection, introduced in June 2024, keeps the master key encrypted on disk and requires the Google Chrome Elevation Service running at SYSTEM level for decryption.
VoidStealer operates by starting a suspended hidden browser process, attaching as a debugger, and waiting for the target browser DLL to load. It then scans for specific instructions, sets hardware breakpoints, and captures the plaintext master key when the browser decrypts protected data during startup. The malware extracts this key using ReadProcessMemory when the breakpoint triggers, allowing it to decrypt sensitive browser-stored data.
The malware-as-a-service platform has been advertised on dark web forums since December 2025, with version 2.0 incorporating this bypass mechanism. Researchers note the technique appears adapted from the open-source ElevationKatz project rather than being an original invention. Multiple previous ABE bypasses have been documented despite Google's ongoing efforts to patch vulnerabilities, highlighting the persistent challenge of protecting browser-stored credentials against increasingly sophisticated extraction methods.
Read more...