{"id":24045,"date":"2026-04-14T16:07:00","date_gmt":"2026-04-14T09:07:00","guid":{"rendered":"https:\/\/fpt-is.com\/en\/?post_type=goc_nhin_so&p=24045"},"modified":"2026-04-14T16:20:35","modified_gmt":"2026-04-14T09:20:35","slug":"no-hacking-or-admin-rights-needed-how-voidstealer-steals-chrome","status":"publish","type":"goc_nhin_so","link":"https:\/\/fpt-is.com\/en\/insights\/no-hacking-or-admin-rights-needed-how-voidstealer-steals-chrome\/","title":{"rendered":"No hacking or admin rights needed: How VoidStealer steals Chrome."},"content":{"rendered":"

Overview<\/span><\/h2>\n

VoidStealer is an emerging infostealer, quickly gaining attention in the cybersecurity community for its ability to bypass advanced protection mechanisms of the Chromium browser. Its main targets remain familiar: stealing login information, cookies, and sessions – but its approach is entirely different. Instead of using traditional techniques like injection or privilege escalation (which are easily detected), VoidStealer employs a more sophisticated approach: exploiting the legitimate debugger mechanism of the operating system to collect data at the moment it is decrypted in memory. Notably, this technique does not break the Application-Bound Encryption (ABE) but “circumvents” it – exploiting the brief moment when data exists in plaintext in RAM. This helps the malware minimize traces, operate more stealthily, and evade detection by security solutions.<\/span><\/p>\n

What is VoidStealer?<\/span><\/h2>\n

VoidStealer is a type of infostealer\u00a0Malware-as-a-Service (MaaS)<\/strong>\u00a0that emerged in late 2025 and quickly became one of the most notable threats in the cybercrime ecosystem.<\/span><\/p>\n

\"3431e0ca<\/a><\/p>\n

Initially, VoidStealer was recognized as a “traditional” stealer, focusing on collecting data from Chromium browsers like Chrome and Edge. However, in a short time, it was significantly developed with many upgraded versions. Notably,\u00a0VoidStealer v2 (early 2026)<\/strong>\u00a0marked an important advancement by integrating a technique to bypass\u00a0Application-Bound Encryption (ABE)<\/strong>\u00a0– a new protection mechanism designed to prevent browser data theft.<\/span><\/p>\n

\"B3a5f93a<\/a><\/p>\n

What is ABE?<\/span><\/h2>\n

What is ABE?<\/span><\/h3>\n

Application-Bound Encryption (ABE) is a data protection mechanism implemented on Chromium browsers (Chrome, Edge, etc.) to prevent the theft of sensitive information like passwords, cookies, and tokens.<\/span><\/p>\n

Unlike previous mechanisms, ABE not only encrypts data but also ties decryption to the legitimate application itself. Simply put, “Having the data file doesn’t mean it can be read” or “Decryption requires the correct application and context.”<\/span><\/p>\n

\"B40330e6<\/a><\/p>\n

How ABE Works<\/span><\/h3>\n

ABE operates based on three main components: Master Key (v20), Application Binding, and Elevation Service.<\/span><\/p>\n

Browser data is encrypted using a key called the v20_master_key. This key is not stored in plaintext on disk but is protected by the system.<\/span><\/p>\n

Additionally, ABE ties decryption to the application identity (Chrome, Edge, etc.) and valid execution context. This prevents external tools from decrypting data and stops malware from directly reading SQLite files.<\/span><\/p>\n

\"B79c38c3<\/a><\/p>\n

To decrypt data, the browser must call a special service (running with elevated privileges). This service checks the caller and only allows valid requests.<\/span><\/p>\n

\"E21dcd48<\/a><\/p>\n

Weakness (exploited by VoidStealer)<\/span><\/h3>\n

Despite its outstanding advantages, ABE still has a core weakness: runtime exposure. When the browser is running, data must be decrypted in RAM, meaning the key exists in plaintext (for a short time).<\/span><\/p>\n

Additionally, this ABE mechanism does not protect against legitimate debuggers. While ABE secures data during storage, it doesn’t control processes being debugged. This is the main point exploited by VoidStealer: attach a debugger, wait for the right moment, and extract the key from the register.<\/span><\/p>\n

\"C289c92a<\/a><\/p>\n

Technical details<\/span><\/h2>\n

\"34c3e05d<\/a><\/p>\n

The problem that malware must solve<\/span><\/h3>\n

First, as mentioned, browsers like Chrome or Edge store information such as passwords and cookies, but everything is encrypted using ABE. To read the data, an attacker would need the “master key” (v20_master_key). The issue here is that this key is not stored in plaintext and only appears when the browser needs it. This almost renders traditional malware ineffective, but VoidStealer says NO.<\/span><\/p>\n

VoidStealer’s incredibly clever idea<\/span><\/h3>\n

Instead of trying to crack the code or hack the system, VoidStealer chooses to wait for the browser to decrypt itself and then steal the key. This is the most important idea in the entire technique.<\/span><\/p>\n

How VoidStealer Works<\/span><\/h3>\n

\"04d19f8b<\/a><\/p>\n

First, the malware will open Chrome by itself, but it will hide the window or run in the background so the user doesn’t notice anything. Next, the malware will attach a debugger to the browser. Since a debugger is a legitimate tool, it can bypass protection mechanisms.<\/span><\/p>\n

\"Open<\/a><\/p>\n

 <\/p>\n

Here, once the malware is dormant in the system, it will watch and wait for Chrome to load data. When Chrome reads cookies or passwords, it will decrypt them and the key will appear in RAM. Then the malware finds the exact location in the code where the key appears and sets a “breakpoint” there. When the browser reaches that point, it will stop.<\/span><\/p>\n

\"5ddf8bdf<\/a><\/p>\n

Then, VoidStealer will directly read the key value in the register\/memory without needing further hacking.<\/span><\/p>\n

\"\"<\/span><\/p>\n

\"9bfc0ef7<\/a><\/p>\n

Finally, the attacker uses the key to decrypt passwords, cookies, and even sessions. At this point, the attack is complete.<\/span><\/p>\n

Conclusion<\/span><\/h2>\n

VoidStealer is not just a new infostealer; it clearly indicates how attack methods in the malware world are changing. Instead of breaking through protective layers as before, VoidStealer takes a more sophisticated approach: exploiting the system’s legitimate mechanisms to bypass security. This poses a significant challenge for both users and security solutions, as the line between legitimate and malicious behavior becomes increasingly blurred. In this context, defense is no longer just a matter of technology but also awareness and usage habits. Simple actions like controlling download sources, protecting accounts, and being alert to unusual signs are the most effective defenses against sophisticated threats like VoidStealer.<\/span><\/p>\n

Recommendations<\/span><\/h2>\n

Protect your account (top priority)<\/strong><\/span><\/p>\n