VoidStealer Malware Darts Past Google Chrome's Encryption TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityThreat IntelligenceVulnerabilities & ThreatsCyber RiskNewsVoidStealer Malware Darts Past Google Chrome's EncryptionAuthors of the VoidStealer Trojan uncovered yet another way to get around Google's App-Bound Encryption (ABE), opening the door to infostealers.Jai Vijayan,Contributing WriterMay 6, 20263 Min ReadSource: izzuanroslan via ShutterstockIn another sign that browsers continue to be a prime attack target, authors of the VoidStealer Trojan have uncovered a way to bypass a Chrome security feature designed to protect session cookies and other sensitive data.It's the latest successful bypass of Chrome's App-Bound Encryption (ABE), introduced by Google in July 2024 and compatible with other Chromium-based browsers that also use ABE, like Microsoft Edge, Opera, Vivaldi, Brave, and others, according to Kaspersky.Google introduced ABE specifically to protect cookie data against infostealers on Windows systems. As the company explains, Google uses the highest level protections the operating system provides — like Keychain services in macOS and system-provided wallets on Linux systems — to encrypt and protect cookies and other sensitive browser data. The problem with the equivalent Data Protection API (DPAPI) feature in Windows is that it does not protect stored data like cookies and passwords from being accessed by malicious applications like infostealers, masquerading as a legitimate, logged in user. ABE aimed to fix the problem by ensuring that only the Chrome application itself could decrypt stored data rather than any process running as the legitimate user.Related:Silver Fox Springs Tax-Themed Attacks on Orgs in India, RussiaBypassing Browser Protections"The architects of this feature assumed that to access ABE-protected browser data, an infostealer would either need to escalate its privileges to system-level, or inject malicious code directly into Chrome," Kaspersky researcher Alanna Titterington said. "In theory, this should have made attacking Chrome significantly harder and reduced the effectiveness of mass-market infostealers," she said.In reality however, security researchers and malware authors have found ways to bypass the protection almost as soon as Google implemented the feature in Chrome. The authors of infostealers like Meduza Stealer, Whitesnake, Lumma Stealer, and Lumar have all successfully continued to harvest cookie data and other secrets from Chrome, even after Google implemented ABE. And researchers have demonstrated ways to do it as well. Titterington pointed to an effort by researcher Alex Hagenah, who showed how an attacker could extract cookies, passwords, payment methods, and tokens from Chrome even with ABE. His technique combined fileless, in-memory execution, process hollowing, direct system calls, and other stealth techniques to access encrypted data as if it were legitimate Chrome activity. Last year, CyberArk disclosed how its researchers developed a new so-called C4 attack technique that allowed them to decrypt Chrome cookies, even as a user with low privileges.Related:WhatsApp Leaks User Metadata to AttackersVoidStealer Malware Takes A Different TacticThe tactic that the authors of VoidStealer employ is different from previous ABE bypasses, according to Titterington. It targets the moment when Chrome needs to decrypts data and uses it to sign into a website or to access saved credentials, she noted. To do this, Chrome exposes the master key in plaintext in browser memory; VoidStealer authors figured out a way to take advantage of that brief window of opportunity. To capture that moment the malware attaches to the browser as a debugger, which developers use as a legitimate mechanism for troubleshooting. It then identifies the exact point in the browser's execution where decryption occurs and pauses the process at that instant. This allows the attacker to extract the encryption key directly from memory, effectively bypassing the protections designed to keep it secure.The VoidStealer bypass tactic is another indication of how browsers and browser extension have become a popular target for attackers. With enterprises moving more of their workflows into Web applications, browsers have become repositories of sorts for authentication token, credentials, financial information and a variety of other sensitive data.Related:Two-Factor Authentication Breaks Free From the DesktopDon't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Jai Vijayan’s reporting details a significant advancement in infostealer techniques, specifically concerning the VoidStealer Trojan. The malware’s ability to bypass Google Chrome’s App-Bound Encryption (ABE) represents a notable challenge to browser security, a feature introduced in July 2024 to protect sensitive data like session cookies and passwords. ABE, intended to safeguard user data against infostealers by restricting access to encrypted data solely to the Chrome application itself, has been repeatedly circumvented by malware authors. The core of the issue revolves around the browser’s process of decrypting data during actions such as website logins, where the master key is briefly exposed in memory. VoidStealer authors exploit this vulnerability by attaching to the browser as a debugger, pausing the process at the decryption point to directly extract the encryption key. This bypass was accomplished through techniques including fileless execution, process hollowing, and direct system calls, mirroring methods previously used by malware like Meduza Stealer and Lumma Stealer. Researchers such as Alex Hagenah demonstrated a similar method using C4 attack techniques, highlighting the ongoing difficulty in securing Chrome’s encryption mechanisms. The tactic underscores the growing reliance on browsers as repositories of sensitive data within enterprise workflows and the corresponding risk posed by attackers. Vijayan’s source material emphasizes that the VoidStealer’s approach differs from earlier ABE bypasses, targeting the decryption moment itself, making it a fresh threat. The ongoing success in bypassing ABE highlights the need for continued vigilance and innovation in browser security.