A new infostealer is bypassing Chrome’s Application-Bound Encryption (ABE), using a debugger-based technique researchers say hasn’t been seen in the wild before.
Called “VoidStealer,” the stealer seems to have found a way around ABE, introduced in Chrome 127 in 2024, a security control aimed at locking sensitive browser data like passwords and cookies behind tighter encryptions, tying decryption to a privileged system service.
While ABE bypasses have existed before, through techniques that involved code injection into Chrome, abusing COM/elevation service, and remote debugging, almost all of them required admin privileges.
Vojtěch Krejsa, the threat researcher at Gen who first flagged the stealer, calls VoidStealer’s bypass non-noisy. “The bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods,” he said in a blog post.
Chasing the master key
An ABE bypass revolves around a critical piece of material, the “v20_master-key.” This key is what ultimately unlocks stored browser secrets, including cookies, passwords, and tokens, once the browser has verified the request. In theory, ABE keeps this key tightly guarded, ensuring it’s never exposed in a way that malware can easily access it.
However, in practice, that key still has to exist in plaintext at runtime, if only briefly, for Chrome to do its job.
Earlier bypass techniques found ways to go after decryption, some relying on process injection that involved slipping malicious code into Chrome to invoke a legitimate decryption routine. Others used memory dumping or remote debugging, scanning large chunks of process memory to locate decrypted data. More advanced approaches abused Chrome’s elevation service or COM interfaces to trick the browser into handing over decrypted material.
VoidStealer takes a more surgical route, Krejsa explained. Instead of forcing Chrome to decrypt data or scraping memory broadly, it attaches as a debugger and waits. By placing hardware breakpoints on a precise instruction tied to Chrome’s decryption flow, it intercepts the exact moment the v20_master_key appears in plaintext in memory. It then reads the key using standard debugging APIs.
VoidStealer uses hardware breakpoints because they don’t modify code, Krejsa explained. Unlike software breakpoints, which can be detected, hardware ones rely on CPU registers, leaving memory untouched and without altering Chrome’s natural execution.
Malware with many tricks
VoidStealer is part of a broader shift in how infostealers are evolving post-ABE. The malware already supports multiple bypass techniques, falling back to older injection-based methods if needed, but clearly prioritizing stealth where possible.
Krejsa also warned of its development pace. Since first appearing in December 2025, the malware has evolved quickly through versions, suggesting active maintenance and likely customer demand in underground markets. The malware, which runs a MaaS model, has undergone a total of 12 iterations so far, with the latest version “v2.1” rolled out on Mar 18, 2026.
Because VoidStealer avoids injection and privilege escalation, traditional indicators could fall short, Krejsa noted. He said defenders must focus on behavioral signals, including unexpected debugger attachments to browser processes, unusual use of memory-reading APIs, and anomalous Chrome process spawning patterns.
As a primary indicator of compromise (IoC), the researcher shared a sample linked to VoidStealer v2.0.