A new infostealer called VoidStealer is drawing security attention after researchers said it can pull Chrome’s master key from memory without code injection or elevated privileges. Experts say it is the first infostealer observed in the wild to use this debugger-based method against Chrome’s Application-Bound Encryption (ABE), a protection Google introduced in Chrome 127 to make stolen browser data harder to unlock.
What is VoidStealer?
VoidStealer Malware in Chrome targets Chromium-based browsers such as Google Chrome and Microsoft Edge, and researchers say it is marketed as a malware-as-a-service tool on dark web forums.
Gen Digital traced VoidStealer’s development back to mid-December 2025 and said version 2.0, reported on March 13, 2026, introduced the new ABE bypass.
How Does VoidStealer Malware in Chrome Work?
Instead of injecting code into the browser, VoidStealer opens a suspended and hidden browser process, attaches as a debugger, then waits for the browser DLL to load.
Once Chrome or Edge begins decrypting protected data, the malware uses hardware breakpoints to catch the moment the v20_master_key appears in plaintext in memory, then reads it out with ReadProcessMemory. That key can then be used to unlock browser secrets.
How Do Users Stay Safe?
- Update Chrome quickly: Google’s security guidance repeatedly warns that updates are part of Chrome’s built-in defenses.
- Run Safety Check: On Android, Chrome can flag weak or compromised passwords, risky permissions, unwanted notifications, and available updates.
- Keep Safe Browsing on: Google says it helps protect against malware and phishing.
- Use secure connections: Chrome recommends enabling “Always use secure connections,” so HTTPS-only browsing is easier to enforce.
- Treat downloads with care: Google’s security blog says infostealer malware remains a real threat, so avoid running unknown files, especially on Windows systems, where browser secrets are a target.
Google designed ABE to tie encrypted browser data to app identity and to make theft harder for infostealers that run as the logged-in user. The system forces attackers to do something more suspicious, such as gaining system privileges or injecting into Chrome, which should be easier to spot.
SecureITWorld covers and evaluates every major shift in the tech and cybersecurity world. Check out our news section for the latest tech updates!
Also Read:
Google Chrome Zero Day Vulnerability: All You Need to Know About
