VoidStealer malware steals Chrome master key via debugger trick

Recorded: March 22, 2026, 3 p.m.

Original

News

Featured
Latest

Trivy vulnerability scanner breach pushed infostealer via GitHub Actions

Microsoft Azure Monitor alerts abused for callback phishing attacks

Musician admits to $10M streaming royalty fraud using AI bots

FBI links Signal phishing attacks to Russian intelligence services

Varonis Atlas: Securing AI and the Data That Powers It

Microsoft Exchange Online service change causes email access issues

Block ads and trackers on 9 devices for only $16 in this deal

FBI warns of Handala hackers using Telegram in malware attacks

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityVoidStealer malware steals Chrome master key via debugger trick

VoidStealer malware steals Chrome master key via debugger trick

By Bill Toulas

March 22, 2026
10:32 AM
0

An information stealer called VoidStealer uses a new approach to bypass Chrome’s Application-Bound Encryption (ABE) and extract the master key for decrypting sensitive data stored in the browser.
The novel method is stealthier and relies on hardware breakpoints to extract the v20_master_key, used for both encryption and decryption, directly from the browser's memory, without requiring privilege escalation or code injection.
A report from Gen Digital, the parent company behind the Norton, Avast, AVG, and Avira brands, notes that this is the first case of an infostealer observed in the wild to use such a mechanism.
Google introduced ABE in Chrome 127, released in June 2024, as a new protection mechanism for cookies and other sensitive browser data. It ensures that the master key remains encrypted on disk and cannot be recovered through normal user-level access.
Decrypting the key requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting process.

Overview of how ABE blocks out malwareSource: Gen Digital
However, this system has been bypassed by multiple infostealer malware families and has even been demonstrated in open-source tools. Although Google implemented fixes and improvements to block these bypasses, new malware versions reportedly continued to succeed using other methods.
“VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” says Vojtěch Krejsa, threat researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform advertised on dark web forums since at least mid-December 2025. The malware introduced the new ABE bypass mechanism in version 2.0.

Cybercriminals advertising ABE bypass in VoidStealer version 2.0Source: Gen Digital
Stealing the master key
VoidStealer's trick to extract the master key is to target a short moment when Chrome’s v20_master_key is briefly present in memory in plaintext state during decryption operations.
Specifically, VoidStealer starts a suspended and hidden browser process, attaches it as a debugger, and waits for the target browser DLL (chrome.dll or msedge.dll) to load.
When loaded, it scans the DLL for a specific string and the LEA instruction that references it, using that instruction's address as the hardware breakpoint target.

VoidStealer's target stringSource: Gen Digital
Next, it sets that breakpoint across existing and newly created browser threads, waits for it to trigger during startup while the browser is decrypting protected data, then reads the register holding a pointer to the plaintext v20_master_key and extracts it with ‘ReadProcessMemory.’
Gen Digital explains that the ideal time for the malware to do this is during browser startup, when the application loads ABE-protected cookies early, forcing the decryption of the master key.
The researchers explained that VoidStealer likely did not invent this technique but rather adopted it from the open-source project ‘ElevationKatz,’ part of the ChromeKatz cookie-dumping toolset that demonstrates weaknesses in Chrome.
Although there are some differences in the code, the implementation appears to be based on ElevationKatz, which has been available for more than a year.
BleepingComputer has contacted Google with a request for a comment on this bypass method being used by threat actors, but a reply was not available by publishing time.

Red Report 2026: Why Ransomware Encryption Dropped 38%
Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight.Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded.
Download The Report

Related Articles:
Arkanix Stealer pops up as short-lived AI info-stealer experimentFake enterprise VPN sites used to steal company credentialsFake Claude Code install guides push infostealers in InstallFix attacksBing AI promoted fake OpenClaw GitHub repo pushing info-stealing malwareInfostealer malware found stealing OpenClaw secrets for first time

Encryption Keys
Google Chrome
Info Stealer
Information Stealer
MaaS
VoidStealer

Bill Toulas
Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks.

Previous Article
Next Article

Popular Stories

Microsoft: March Windows updates break Teams, OneDrive sign-ins

CISA orders feds to patch max-severity Cisco flaw by Sunday

Microsoft Azure Monitor alerts abused for callback phishing attacks

Sponsor Posts

Secure your AI agents without sacrificing speed.

Overdue a password health-check? Audit your Active Directory for free

Cyber resilience without the complexity. Join Zero Networks to stop lateral movement fast.

Are refund fraud methods targeting your brand? You can monitor the underground for these threats.

AI is a data-breach time bomb: Read the new report

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

VoidStealer malware employs a sophisticated technique to exfiltrate Chrome’s master key, bypassing Google’s Application-Bound Encryption (ABE) mechanism. This novel approach, detailed by Vojtěch Krejsa at Gen Digital, utilizes hardware breakpoints to directly extract the v20_master_key from the browser’s memory—a feat achieved without requiring privilege escalation or code injection. This represents the first instance of an infostealer observed in the wild successfully utilizing this method. The discovery highlights a vulnerability in Chrome's security architecture, particularly concerning the reliance on the Google Chrome Elevation Service, which operates with SYSTEM-level privileges to validate decryption requests.

The core of the VoidStealer’s strategy revolves around capitalizing on a brief window of opportunity during Chrome’s decryption processes. Specifically, the malware initiates a suspended, hidden browser process, attaches it as a debugger, and patiently waits for the target Chrome instance to load. Once the browser DLL (chrome.dll or msedge.dll) is loaded, it scans for specific strings and a designated LEA instruction linked to that string, using the corresponding address as the breakpoint target. Subsequently, it establishes hardware breakpoints across active browser threads, observing the triggering during startup when the browser is decrypting ABE-protected cookies, thereby forcing the extraction of the master key.

The technique’s origins can be traced back to the open-source project ‘ElevationKatz’, a component within the ChromeKatz cookie-dumping toolset, which had been available for over a year. While VoidStealer incorporates modifications, its underlying implementation fundamentally relies on ElevationKatz’s approach. The malware identifies the key’s plaintext state in memory during decryption operations—a process facilitated by the ‘ReadProcessMemory’ function—targeting the pointer to the master key. This method was advertised on dark web forums since mid-December 2025 and is offered as a “Malware as a Service” (MaaS) platform.

This breach further underscores the ongoing challenge of securing Chrome’s ABE implementation. Despite Google’s subsequent fixes and improvements intended to mitigate bypass attempts, the vulnerability persisted, highlighting the need for continuous vigilance and rapid response within the cybersecurity landscape. The successful deployment of VoidStealer demonstrates the continued ingenuity of cybercriminals in exploiting security weaknesses and the potential consequences of relying on open-source tools that may contain inherent vulnerabilities. The findings reinforce the critical importance of maintaining awareness regarding emerging threats and proactively addressing potential security gaps within widely used software applications, with Google being a key component in this matter.