CP
cyberpings
Malware & RansomwareHIGH

Malware - VoidStealer Bypasses Chrome ABE to Steal Data

CSCSO Online
VoidStealerChromeApplication-Bound Encryptioninfostealermalware
🎯

Basically, a new malware steals passwords from Chrome without being detected.

Quick Summary

VoidStealer malware has been discovered bypassing Chrome's encryption, posing a serious risk to user data. This stealthy infostealer targets sensitive information like passwords and cookies. Users must stay vigilant and adopt better security practices to protect themselves.

What Happened

A new infostealer named VoidStealer has emerged, successfully bypassing Chrome's Application-Bound Encryption (ABE). This security feature, introduced in Chrome 127, was designed to protect sensitive browser data like passwords and cookies by tightly encrypting them. Researchers have noted that VoidStealer employs a novel debugging technique that hasn't been seen in the wild before, making it a significant threat to browser security.

The bypass method used by VoidStealer is particularly concerning because it does not require privilege escalation or code injection, which are common in previous ABE bypass techniques. Instead, it attaches itself as a debugger to Chrome, waiting for the moment when the v20_master_key appears in plaintext in memory. This stealthy approach allows it to extract sensitive data without raising alarms.

Who's Being Targeted

VoidStealer primarily targets users of Google Chrome, which is one of the most widely used web browsers globally. Given the vast number of users, the potential impact of this malware is substantial. It can steal critical information such as passwords, cookies, and tokens, which can be exploited for identity theft and unauthorized access to personal accounts.

The malware has shown rapid evolution since its first appearance in December 2025, indicating that it is actively maintained and likely in high demand within underground markets. With multiple versions released, including the latest update on March 18, 2026, users must be vigilant.

Signs of Infection

Detecting VoidStealer can be challenging due to its stealthy nature. Traditional indicators of compromise may not be effective, as the malware avoids common detection methods. Researchers suggest monitoring for unusual behaviors, such as:

  • Unexpected debugger attachments to browser processes
  • Unusual use of memory-reading APIs
  • Anomalous spawning patterns of Chrome processes

These signs can help users and security professionals identify potential infections before significant damage occurs.

How to Protect Yourself

To safeguard against VoidStealer and similar threats, users should adopt a proactive approach to their online security. Here are some recommended actions:

  • Keep your browser updated: Regular updates can patch vulnerabilities that malware exploits.
  • Use strong, unique passwords: Consider employing a password manager to generate and store complex passwords securely.
  • Enable two-factor authentication (2FA): This adds an extra layer of security, making it harder for attackers to gain access to your accounts.
  • Monitor your accounts: Regularly check for unauthorized access or unusual activity on your accounts.

By staying informed and implementing these protective measures, users can reduce their risk of falling victim to VoidStealer and other evolving malware threats.

🔒 Pro insight: VoidStealer's use of a debugger for ABE bypass signifies a shift in infostealer tactics, emphasizing the need for behavioral-based detection strategies.

Original article from

CSO Online

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

Malware - Russia-linked Operation Collapses After Arrest

An Android malware operation called ClayRat has collapsed after security flaws and the developer's arrest. This incident raises concerns about the ongoing cyber threats. Users are urged to stay vigilant against such malware attacks.

The Record·
HIGHMalware & Ransomware

Malware Alert - FBI Warns of Handala Hackers Using Telegram

The FBI has issued a warning about Iranian hackers using Telegram for malware attacks. Targeting journalists and dissidents, this poses serious risks to sensitive data. Organizations must remain vigilant and adopt protective measures to mitigate potential threats.

BleepingComputer·
HIGHMalware & Ransomware

CanisterWorm - New Malware Steals npm Tokens and Spreads

A new malware called CanisterWorm is targeting the npm ecosystem. It steals tokens and spreads through compromised publisher accounts, risking many projects. Immediate action is needed to protect affected developers.

Cyber Security News·
HIGHMalware & Ransomware

Malware - Iran-linked Actors Use Telegram for Attacks

Iran-linked actors are using Telegram to deploy malware against dissidents and journalists. This poses a serious risk of surveillance and data theft. The FBI is raising awareness to help protect potential victims.

Security Affairs·
HIGHMalware & Ransomware

Trivy Hack - Infostealer Spreads via Docker, Triggers Wiper

A major supply chain attack on Trivy has led to the distribution of malware via Docker. Developers using affected versions are at risk. Immediate action is needed to secure environments and prevent further exploitation.

The Hacker News·
HIGHMalware & Ransomware

Malware - New Campaign Using Copyright Lures Unleashes PureLog Stealer

A new malware campaign is using copyright lures to deliver PureLog Stealer, impacting sectors like healthcare and education. This sophisticated attack poses significant risks to sensitive data. Organizations must enhance security measures to combat this emerging threat.

Cyber Security News·