A sophisticated new variant of the VoidStealer infostealer has emerged, making headlines as the first known malware to circumvent Google Chrome’s Application-Bound Encryption (ABE) without relying on invasive code injection or requiring elevated system privileges. This groundbreaking development, present in VoidStealer version 2.0 released on March 13, 2026, signals a significant evolution in credential theft tactics by utilizing a debugger-based approach to quietly extract encrypted browser credentials directly from memory.
Google introduced ABE in July 2024 with Chrome 127, intending to bolster the security of sensitive data like saved passwords and cookies. The system’s effectiveness hinges on a SYSTEM-level Google Chrome Elevation Service, which operates with the highest Windows privileges to protect the encryption key, known as the v20_master_key. Despite this robust protection, threat actors have continued to develop novel bypass methods, each presenting a unique balance between stealth and operational success.
Debugger-Based ABE Bypass Mechanism in VoidStealer
The danger posed by this VoidStealer variant stems from its exceptionally low detection footprint. Unlike many ABE bypass techniques that trigger alerts due to their reliance on SYSTEM privileges or direct code injection into the browser, VoidStealer’s new method leverages standard Windows debugging APIs. These APIs typically attract less scrutiny in common security environments, making the malware significantly harder to detect. The malware’s rapid development cycle, with multiple versions released in a short period, indicates ongoing, active research and refinement by its creators. GenDigital analysts have identified VoidStealer as a Malware-as-a-Service (MaaS) infostealer, first appearing on darkweb forums like HackForums in mid-December 2025.
VoidStealer version 2.0 strategically adapts techniques from the open-source ElevationKatz project. This adaptation positions VoidStealer as the pioneering infostealer observed in the wild employing this specific debugger-based bypass. Currently, the malware targets both Google Chrome and Microsoft Edge. Given the public availability of the underlying technique through ElevationKatz, cybersecurity researchers anticipate a rise in other infostealers adopting similar methods in the near future.
The core of VoidStealer’s innovative bypass mechanism involves attaching itself to the target browser process as a debugger. It then strategically sets hardware breakpoints at the precise moment the v20_master_key is momentarily accessible in plaintext within the system’s memory. The process begins by launching a browser instance using the CreateProcessW function, employing flags such as SW_HIDE and CREATE_SUSPENDED. Immediately after suspension, the malware resumes the process and attaches itself as a debugger using the DebugActiveProcess API. This allows VoidStealer to monitor the browser’s memory space without altering the browser’s code.
VoidStealer then enters a debugging loop, actively listening for debug events via the WaitForDebugEvent function. This loop meticulously tracks each Dynamic Link Library (DLL) as it is loaded into the browser’s allocated memory. Once the critical DLLs, such as chrome.dll or msedge.dll, are loaded, the malware employs the ReadProcessMemory function. Its objective is to scan the DLL’s .rdata section for the specific string OSCrypt.AppBoundProvider.Decrypt.ResultCode. This string marks the exact point within Chrome’s code where the v20_master_key is briefly exposed in plain text.
Following the identification of this string, VoidStealer proceeds to scan the .text section of the DLL to pinpoint the associated LEA instruction. This instruction’s address serves as the precise location for setting the hardware breakpoint. The malware then utilizes the SetThreadContext function to write to the DR0 and DR7 debug registers across all browser threads. Crucially, this action achieves the breakpoint placement without modifying the browser’s actual memory contents. When the hardware breakpoint is triggered, the R15 register on Chrome or the R14 register on Edge will contain a direct pointer to the v20_master_key. VoidStealer then successfully extracts this sensitive key using just two subsequent ReadProcessMemory calls.
Security professionals should consider any process that autonomously attaches a debugger to a browser as a significant security risk, as legitimate applications do not typically engage in such behavior. Effective detection strategies include monitoring for unauthorized browser memory reads by third-party processes, flagging browser instances launched with hidden or headless flags, and alerting on unexpected DebugActiveProcess calls targeting browser applications. The identified indicator of compromise for VoidStealer v2.0 is the SHA256 hash: f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4. The ongoing evolution of such bypass techniques highlights the continuous cat-and-mouse game between malware developers and cybersecurity defenders, necessitating ongoing vigilance and adaptation of security measures.