Malware News The first infostealer to bypass ABE using hardware breakpoints to extract the v20_master_key from browser memory is here.

[Khushal]

Content source

https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass

• VoidStealer is the first infostealer observed in the wild adopting a novel debugger-based Application-Bound Encryption (ABE) bypass technique that leverages hardware breakpoints to extract the v20_master_key directly from browser memory.
• The bypass requires neither privilege escalation nor code injection, making it a stealthier approach compared to alternative ABE bypass methods.
• 

  VoidStealer: Debugging Chrome to Steal Its Secrets

  A Novel Debugger-based ABE Bypass Spotted in the Wild

  www.gendigital.com

 

[Bot]

That is a notable development, but it is important to keep the claim in context.

What the report is saying

According to Gen Digital’s write-up, the malware uses a debugger-based method with hardware breakpoints to capture the browser’s v20_master_key from memory after Chrome’s newer Application-Bound Encryption protections are in place.

If that description is accurate, the interesting part is not that ABE is “broken” in a universal sense, but that an infostealer found a way to extract the key at runtime from the user context without relying on the more obvious approaches such as direct code injection or admin-level privilege escalation.

Why that matters

• It shows that raising the protection level around stored browser secrets does not eliminate theft risk once malware is already running on the system.
• A memory/runtime attack can bypass protections that are effective against simpler grab-and-decrypt methods.
• Avoiding code injection may reduce some behavioral detections, depending on the security product and its telemetry.

What it does not mean

• It does not mean all ABE-protected data is trivially exposed.
• It does not mean every stealer now has this capability.
• It does not mean browser encryption is useless; it still increases the cost and complexity for attackers.

Practical takeaway

For defenders, the main lesson is the same one seen repeatedly with infostealers: once malware executes under the user’s session, browser-stored credentials, cookies, and tokens are at much higher risk regardless of how well they are protected at rest.

That shifts the focus toward preventing initial execution and detecting suspicious runtime behavior, for example:

• Strong exploit and script-based attack prevention
• Good behavior monitoring / EDR-style detection
• Reducing credential and session-token exposure in browsers where possible
• Using MFA, while remembering that session theft can still weaken its benefit

Bottom line

If the vendor analysis holds up, this is a meaningful evolution in infostealer tradecraft because it targets the key during use rather than trying to defeat storage protection directly. The broader security message is that endpoint compromise remains the real problem, and browser encryption alone cannot compensate for malware already running on the machine.

Source

• VoidStealer: Debugging Chrome to Steal Its Secrets

 

[Parkinsond]

VoidStealer: nice try, Chrome.

 

[Sampei.Nihira]

Here's a reason to increase the sandbox level in Chrome,which is always insufficient by default,and improve process isolation.
I'm not particularly interested in other system-level mitigations that could prevent this, since they're already in place by default.

 

[Jonny Quest]

That is a notable development, but it is important to keep the claim in context.

What the report is saying

According to Gen Digital’s write-up, the malware uses a debugger-based method with hardware breakpoints to capture the browser’s v20_master_key from memory after Chrome’s newer Application-Bound Encryption protections are in place.

If that description is accurate, the interesting part is not that ABE is “broken” in a universal sense, but that an infostealer found a way to extract the key at runtime from the user context without relying on the more obvious approaches such as direct code injection or admin-level privilege escalation.

Why that matters

• It shows that raising the protection level around stored browser secrets does not eliminate theft risk once malware is already running on the system.
• A memory/runtime attack can bypass protections that are effective against simpler grab-and-decrypt methods.
• Avoiding code injection may reduce some behavioral detections, depending on the security product and its telemetry.

What it does not mean

• It does not mean all ABE-protected data is trivially exposed.
• It does not mean every stealer now has this capability.
• It does not mean browser encryption is useless; it still increases the cost and complexity for attackers.

Practical takeaway

For defenders, the main lesson is the same one seen repeatedly with infostealers: once malware executes under the user’s session, browser-stored credentials, cookies, and tokens are at much higher risk regardless of how well they are protected at rest.

That shifts the focus toward preventing initial execution and detecting suspicious runtime behavior, for example:

• Strong exploit and script-based attack prevention
• Good behavior monitoring / EDR-style detection
• Reducing credential and session-token exposure in browsers where possible
• Using MFA, while remembering that session theft can still weaken its benefit

Bottom line

If the vendor analysis holds up, this is a meaningful evolution in infostealer tradecraft because it targets the key during use rather than trying to defeat storage protection directly. The broader security message is that endpoint compromise remains the real problem, and browser encryption alone cannot compensate for malware already running on the machine.

Source

• VoidStealer: Debugging Chrome to Steal Its Secrets

So @Bot , besides your Particle takeaway list, what does this mean for the average, home user? What is the exploit path, an extension, a visited website? What do we as home users need to be aware of, on guard for?

edit: thank you, Gemini.

What it means for you​

For a home user, this means that the built-in security Chrome and Edge recently added to protect your data is no longer a "silver bullet." If this malware gets onto your system, it can steal your saved login credentials and—even more dangerously—your active session cookies. These cookies allow a hacker to bypass your 2FA (Two-Factor Authentication) and log into your accounts because the cookie tells the website you are already logged in.

The Exploit Path: How it gets to you​

It is important to understand that this is not an exploit triggered simply by visiting a website or installing a browser extension.

1. The Infection: The primary exploit path is through a malicious file you download and run. This usually happens via "malvertising" (fake download buttons for software), cracked software (torrents), or phishing email attachments.

 

[Halp2001]

VoidStealer: What does this mean for you?​

In simple terms: this malware has found a way to "look over Chrome's shoulder" to steal the master key that protects your passwords and sessions.

How does it affect you?

• It doesn't break the vault; it spies on the key: Even though Chrome encrypts your data, if the malware manages to run on your PC, it can extract your keys directly from memory.
• Your browser is not a bunker: Once the malware is inside your system, the browser's internal protections lose much of their effectiveness.

Daily Security Mini-Checklist:

1. Digital Hygiene: Avoid "cracked" software or suspicious files; this is the #1 entry point for these infostealers.
2. External Managers: Consider using tools like Bitwarden or 1Password instead of saving everything in the browser.
3. Robust MFA: Always enable two-factor authentication (preferably via an app) on your critical accounts.
4. Cleanup Ritual: Regularly review your browser extensions and run a quick scan with your antivirus.

Bottom line: Chrome isn't "broken," but this attack proves that browser security completely depends on keeping your operating system clean. Use common sense and be wary of shady downloads!

 

[Jonny Quest]

VoidStealer: What does this mean for you?​

In simple terms: this malware has found a way to "look over Chrome's shoulder" to steal the master key that protects your passwords and sessions.

How does it affect you?

• It doesn't break the vault; it spies on the key: Even though Chrome encrypts your data, if the malware manages to run on your PC, it can extract your keys directly from memory.
• Your browser is not a bunker: Once the malware is inside your system, the browser's internal protections lose much of their effectiveness.

Daily Security Mini-Checklist:

1. Digital Hygiene: Avoid "cracked" software or suspicious files; this is the #1 entry point for these infostealers.
2. External Managers: Consider using tools like Bitwarden or 1Password instead of saving everything in the browser.
3. Robust MFA: Always enable two-factor authentication (preferably via an app) on your critical accounts.
4. Cleanup Ritual: Regularly review your browser extensions and run a quick scan with your antivirus.

Bottom line: Chrome isn't "broken," but this attack proves that browser security completely depends on keeping your operating system clean. Use common sense and be wary of shady downloads!

And according to Gemini, and your #1, this is one of the things I was wondering about. I maybe missed that in the article, and in the previous posts by the members Your post @Halp2001 was the more helpful, useful one, IMO. Thank you

The Exploit Path: How it gets to you​

It is important to understand that this is not an exploit triggered simply by visiting a website or installing a browser extension.

1. The Infection: The primary exploit path is through a malicious file you download and run. This usually happens via "malvertising" (fake download buttons for software), cracked software (torrents), or phishing email attachments.

 

[ForgottenSeer 123960]

@Jonny Quest

VoidStealer operates as a compiled executable that requires host-level execution privileges to utilize Windows debugging APIs. It cannot natively execute its Application-Bound Encryption (ABE) bypass solely through a "visited website" or a malicious "extension" due to browser sandboxing constraints.

For the average home user, the exploit path relies entirely on social engineering. The user must actively download and run a malicious file for the stealer to infect the system and extract session data.

 

[Jonny Quest]

Thank you all for your replies, as once I understand it more than just the "fear" aspect of the article, helps me understand my part in it. That in this case (and most others), the "happy clicker and ticker" is more susceptible to this kind of exploit.

 

[oldschool]

Clickbait followed by common sense security advice. Stay safe, not paranoid. Word.