A new information stealer called VoidStealer uses a debugger-based technique to bypass Google Chrome’s Application-Bound Encryption (ABE) and extract the browser’s v20_master_key from memory, researchers at Gen Digital note in a blog post.
Google introduced ABE in Chrome 127 to keep the master key encrypted on disk and require the Google Chrome Elevation Service, which runs as SYSTEM, to validate requests for decryption. The protection was intended to prevent normal user-level processes from recovering keys used for cookies and other sensitive data.
VoidStealer’s method does not rely on privilege escalation or code injection, and instead leverages hardware breakpoints. The malware starts a suspended, hidden browser process, attaches to it as a debugger, waits for the target browser DLL to load, scans for a specific string and the LEA instruction that references it, then sets breakpoints on browser threads. When the breakpoint triggers during startup, the malware reads a register containing a pointer to the plaintext v20_master_key and extracts it with ReadProcessMemory.
Gen Digital’s analysis says the implementation appears to draw on an open-source project: the technique resembles the ElevationKatz component of the ChromeKatz cookie-dumping toolset, though researchers note differences in the code.
VoidStealer has been advertised as a malware-as-a-service on dark web forums since at least mid-December 2025 and introduced the ABE bypass in version 2.0.