HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

VoidStealer Malware Bypasses Chrome ABE to Steal Master Key, Endangering Browser‑Stored Credentials

VoidStealer, a malware‑as‑a‑service, employs a novel debugger technique to extract Chrome's v20_master_key, allowing decryption of saved passwords and cookies. The method works against Chrome 127+ and Edge, posing a high‑risk data‑exfiltration threat for enterprises that rely on browser‑based authentication.

🛡️ LiveThreat™ Intelligence · 📅 March 23, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

VoidStealer Malware Bypasses Chrome ABE to Exfiltrate Master Key, Threatening Browser Data Across Enterprises

What Happened — VoidStealer, a malware‑as‑a‑service (MaaS) family, was observed using a novel debugger‑based technique to bypass Chrome’s Application‑Bound Encryption (ABE) and steal the v20_master_key from memory. The method relies on hardware breakpoints and does not require privilege escalation or code injection.

Why It Matters for TPRM

  • The stolen master key enables decryption of saved passwords, cookies, and other sensitive browser data, exposing downstream vendors and partners.
  • The technique works against Chrome 127+ and Microsoft Edge, both widely deployed in corporate environments, expanding the attack surface of any third‑party service that relies on browser‑based authentication.
  • As a MaaS offering, VoidStealer can be purchased and customized, increasing the likelihood of rapid adoption by threat actors targeting supply‑chain relationships.

Who Is Affected — Technology & SaaS providers, cloud‑hosted services, financial institutions, healthcare organizations, and any enterprise that relies on Chrome or Edge for web‑based authentication or data entry.

Recommended Actions

  • Verify that endpoint protection solutions detect and block debugger‑attachment techniques.
  • Enforce strict application control policies that prevent unsigned processes from attaching to browser binaries.
  • Rotate and re‑encrypt stored credentials and cookies; consider using hardware‑based credential vaults instead of browser storage.
  • Review third‑party risk assessments for vendors that rely on browser‑based SSO or credential capture.

Technical Notes — VoidStealer launches a hidden Chrome/Edge process in a suspended state, attaches as a debugger, sets a hardware breakpoint on a specific LEA instruction within the browser DLL, and reads the plaintext master key via ReadProcessMemory. No kernel‑level exploits are required. The technique circumvents the Google Chrome Elevation Service, which normally validates requests at SYSTEM level. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/voidstealer-malware-steals-chrome-master-key-via-debugger-trick/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →