GoKawiilAn information stealer called VoidStealer uses a new approach to bypass Chrome’s Application-Bound Encryption (ABE) and extract the master key for decrypting sensitive data stored in the browser.
The novel method is stealthier and relies on hardware breakpoints to extract the v20_master_key, used for both encryption and decryption, directly from the browser's memory, without requiring privilege escalation or code injection.
A report from Gen Digital, the parent company behind the Norton, Avast, AVG, and Avira brands, notes that this is the first case of an infostealer observed in the wild to use such a mechanism.
Google introduced ABE in Chrome 127, released in June 2024, as a new protection mechanism for cookies and other sensitive browser data. It ensures that the master key remains encrypted on disk and cannot be recovered through normal user-level access.
Decrypting the key requires the Google Chrome Elevation Service, which runs as SYSTEM, to validate the requesting process.
Overview of how ABE blocks out malware
Source: Gen Digital
However, this system has been bypassed by multiple infostealer malware families and has even been demonstrated in open-source tools. Although Google implemented fixes and improvements to block these bypasses, new malware versions reportedly continued to succeed using other methods.
“VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory,” says Vojtěch Krejsa, threat researcher at Gen Digital.
VoidStealer is a malware-as-a-service (MaaS) platform advertised on dark web forums since at least mid-December 2025. The malware introduced the new ABE bypass mechanism in version 2.0.
... continue reading