VoidStealer Bypasses Chrome ABE Using Debugger Trick

A new version of the VoidStealer infostealer has become the first malware observed in the wild using a debugger-based technique to bypass Chrome's Application-Bound Encryption (ABE) and steal the master key used to decrypt saved passwords and cookies. The technique requires no code injection, no privilege escalation, and works entirely in user mode.

Gen Threat Labs published their analysis on March 19, crediting researcher Vojtěch Krejsa with the discovery. VoidStealer v2.0 shipped to customers on March 13, just three months after the malware first appeared on darkweb forums.

How the Bypass Works

Google introduced Application-Bound Encryption in Chrome 127 (June 2024) to protect cookies and credentials from theft. ABE encrypts sensitive data using a key that's supposed to be accessible only to Chrome itself. Previous bypass techniques required either privilege escalation or injecting code into the browser process—both detectable by security tools.

VoidStealer takes a different path. Instead of injection, it attaches to Chrome as a debugger and sets hardware breakpoints at the precise moment when the decryption key exists in plaintext memory.

The attack flow breaks down like this:

1. VoidStealer spawns Chrome using CreateProcessW with the CREATE_SUSPENDED and SW_HIDE flags—starting the browser paused and invisible
2. It resumes the process and attaches as a debugger via DebugActiveProcess
3. The malware monitors for chrome.dll or msedge.dll to load
4. Once loaded, it scans the DLL's .rdata section for the string OSCrypt.AppBoundProvider.Decrypt.ResultCode—a marker that appears right after Chrome decrypts the master key
5. Using SetThreadContext, it sets a hardware breakpoint via the DR0 register
6. When the breakpoint triggers, the v20_master_key pointer sits in register R15 for Chrome or R14 for Edge
7. Two ReadProcessMemory calls extract the key

The beauty of hardware breakpoints is that they're handled by the CPU itself, not by modifying code. This makes them harder to detect through integrity checks.

Borrowed Code, New Application

VoidStealer's developers didn't invent this technique. Gen's analysis traces the code directly to ElevationKatz, an open-source project by security researcher Meckazin that demonstrates weaknesses in Chrome's protection model. The project was built for research purposes—VoidStealer adapted it for theft.

This pattern repeats constantly in the infostealer space. Researchers publish proof-of-concept code to demonstrate vulnerabilities, and malware authors incorporate it within weeks. The gap between disclosure and exploitation keeps shrinking.

VoidStealer operates as a malware-as-a-service platform, first appearing on HackForums in mid-December 2025. The rapid evolution from v1.0 to v2.1 in three months shows active development. Earlier versions used injection-based ABE bypasses that security products could detect more easily. The debugger technique marks a significant stealth upgrade.

Why This Matters

Infostealers have become the dominant credential theft vector for enterprise environments. Recent research from Flare found that enterprise identity exposure from infostealer infections doubled throughout 2025, with projections suggesting one in five infections could yield corporate SSO credentials by late 2026.

The stolen data goes beyond passwords. Infostealers grab session cookies, which let attackers bypass MFA entirely by importing active sessions into their own browsers. Chrome's ABE was supposed to stop exactly this—cookies encrypted with keys that only Chrome could access.

VoidStealer's bypass means ABE alone won't protect users. The malware extracts the decryption key from memory, then uses it to decrypt all stored credentials and cookies at leisure.

Browser-based attacks have expanded rapidly. We've seen Chrome extension compromises and infostealers masquerading as AI tools across the past few months. VoidStealer represents the next evolution—attacking Chrome's encryption directly rather than working around it.

Detection and Defense

Gen's research identifies several behavioral indicators defenders should monitor:

• Applications debugging browsers — Legitimate software rarely attaches debuggers to Chrome or Edge
• Browser spawned with SW_HIDE flag — Hidden browser windows during startup are suspicious
• Hardware breakpoint manipulation — Modifying debug registers on browser threads isn't normal behavior
• ReadProcessMemory targeting browsers — Benign applications don't read Chrome's memory

Endpoint detection tools that monitor for debugger attachment to browser processes can catch this technique. The challenge is that VoidStealer operates entirely in user mode without requiring elevation—it can run with whatever permissions the victim already has.

For organizations, the practical defenses remain familiar: prevent the initial infection. VoidStealer spreads through the usual channels—phishing, malvertising, trojanized software. Once it's running, the credential theft happens fast.

Indicator of Compromise

VoidStealer v2.0 sample hash:

f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4

Organizations should add this to their detection rules, though new samples with different hashes will certainly follow. The technique matters more than the specific binary—expect other infostealer families to adopt similar bypasses soon.