VoidStealer Malware Exploits Chrome Memory to Extract Encryption Keys

A new Chrome-targeting infostealer has emerged, raising fresh concerns about browser security and evolving attack techniques.

VoidStealer bypasses Chrome security protections

According to Gen Digital, a malware strain known as VoidStealer can bypass Google Chrome’s Application-Bound Encryption (ABE), a key security feature designed to protect sensitive user data.

VoidStealer has operated as a malware-as-a-service (MaaS) offering since late 2025, but its newly discovered version 2.0 introduces a significantly more advanced bypass method. The malware specifically targets Chrome’s encryption system by extracting the v20_master_key directly from browser memory.

This approach marks the first known case of an infostealer using hardware breakpoints instead of traditional techniques like code injection or privilege escalation.

New stealth technique avoids detection

VoidStealer’s method focuses on stealth and precision. Instead of modifying system behavior in obvious ways, it relies on debugging mechanisms that are far harder to detect.

The malware launches a hidden and suspended Chrome process, then attaches to it as a debugger. Once connected, it waits for critical browser components to load before placing hardware breakpoints on carefully selected instructions.

When Chrome briefly decrypts sensitive data during startup, the master key appears in plaintext in memory. VoidStealer captures that moment and extracts the key using memory reading techniques.

Researchers note that this attack is most effective during browser startup, when encrypted data is actively being processed.

Attack method

The attack works by performing a series of low-level actions inside the browser process, allowing it to capture sensitive data at the exact moment it becomes accessible. Here’s the breakdown of the processes:

• Malware launches a hidden, suspended Chrome process
• Attaches the process as a debugger and monitors DLL loading
• Sets hardware breakpoints on specific instructions
• Captures the master key during the decryption phase
• Extracts the key directly from memory

Ongoing security arms race

Although similar concepts have circulated in security research for over a year, this is the first confirmed real-world use of such a technique. Previous mitigation efforts by Google have not stopped attackers from refining their methods.

At the time of reporting, Google has not issued a statement regarding this specific bypass.

The discovery highlights the growing sophistication of infostealers, especially those distributed through MaaS platforms, which lower the barrier for cybercriminals.

Broader cybersecurity concerns continue

The VoidStealer findings come amid a wave of new security threats across the industry.

Google recently announced a $12.5 million investment in open-source security projects aimed at combating AI-driven threats. Meanwhile, Microsoft has faced its own challenges, including a phishing campaign abusing Azure Monitor to send legitimate-looking emails.

In addition, CISA has warned that a critical SharePoint vulnerability is actively being exploited in the wild.

As attackers continue to innovate, security experts warn that both users and companies must remain vigilant, as traditional protections may no longer be enough against emerging threats.

Via Bleeping Computer