VoidStealer Debugging Chrome for Data Theft
AlienVault’s March 20, 2026 threat report, VoidStealer: Debugging Chrome to Steal Its Secrets, exposes a novel infostealer that extracts Chrome’s Application‑Bound Encryption key using a debugger‑based hardware breakpoint technique. The method bypasses the need for privilege escalation or code injection, delivering a stealthy attack vector that can evade traditional detection heuristics.
Executive Summary
VoidStealer represents the first malware discovered in the wild to adopt the ElevationKatz‑derived debugger‑based ABE bypass. By attaching to Chrome or Edge as a debugger, the malware sets a hardware breakpoint at a carefully chosen instruction that references the v20_master_key. When the breakpoint triggers, the key is captured from memory while it is briefly present in plaintext. The entire operation is performed without writing to the browser’s address space and without requiring SYSTEM privileges, resulting in a minimal footprint.
Actor & Version Timeline
VoidStealer is sold as Malware‑as‑a‑Service on dark‑web forums from December 2025 onward. The major releases are:
- v1.0 – Dec 12 2025
- v1.1 – Jan 16 2026
- v1.2 – Jan 19 2026
- v1.3 – Feb 3 2026
- v1.4 – Feb 4 2026
- v1.5 – Feb 22 2026
- v1.6 – Mar 3 2026
- v1.7 – Mar 9 2026
- v1.8 – Mar 10 2026
- v1.9 – Mar 10 2026
- v2.0 – Mar 13 2026 (introduces ABE bypass)
- v2.1 – Mar 18 2026
Technical Deep Dive
Application‑Bound Encryption Mechanics
Chrome protects stored passwords and cookies with ABE, encrypting data with a key known as v20_master_key. The key is persisted encrypted in the JSON field "os_crypt"["app_bound_encrypted_key"] within %LOCALAPPDATA%\Google\Chrome\User Data\Local State. Decryption is performed by the Google Chrome Elevation Service (elevation_service.exe) running as SYSTEM, exposing a COM interface IElevator::Decrypt(). The service validates the caller as Chrome before returning the plaintext key, which is only present in memory for a few milliseconds during decryption.
Legacy Bypass Techniques
Earlier infostealers relied on:
- Process injection to invoke
IElevator::Decrypt()from within the browser context. - Running with SYSTEM privileges to decrypt the key outside the browser.
Both approaches generate significant noise and are readily detected by modern EDR platforms.
Debugger‑Based Hardware Breakpoint Method
VoidStealer’s approach eliminates the need for injection or SYSTEM rights by:
- Launching Chrome/Edge with
CreateProcessW,CREATE_SUSPENDED, andSW_HIDE. - Resuming the main thread and attaching a debugger via
DebugActiveProcess. - Waiting for
LOAD_DLL_DEBUG_EVENTto locatechrome.dllormsedge.dll. - Scanning the
.rdatasection for the stringOSCryt.AppBoundProvider.Decrypt.ResultCode, which is referenced immediately after the call toos_crypt::DecryptAppBoundString. - Identifying the LEA instruction that references this string and calculating the exact address where the key resides.
- Setting a hardware breakpoint at that address across all browser threads by configuring the thread context registers (
DR0,DR7) viaNtGetNextThread. - When the breakpoint triggers—typically during the browser’s startup cookie decryption—the malware reads the
v20_master_keyfrom memory usingReadProcessMemory.
Hardware breakpoints avoid modifying the browser’s memory, keeping the operation silent and undetectable by many monitoring tools.
Detection and Mitigation
Key indicators for this threat include:
- Automated debugger attachment to Chrome/Edge without user initiation.
- Suspicious
DebugActiveProcesscalls targeting a browser process. - Frequent
ReadProcessMemoryoperations on Chrome/Edge memory, especially during startup. - Browser execution with
SW_HIDEor in headless mode.
Recommended mitigations:
- Enforce strict process integrity policies that block or alert on automated debugger attachments to browser processes.
- Enable memory‑read auditing for Chrome/Edge and log all
ReadProcessMemorycalls. - Implement a browser launch policy that permits only whitelisted parameters and disallows hidden or headless launches.
- Deploy EDR solutions capable of detecting hardware breakpoint usage and suspicious debug events.
- Consider disabling ABE if not required or tightening the elevation service’s COM interface to restrict access.
Future Outlook
The success of VoidStealer underscores that Application‑Bound Encryption, while elevating security, can still be circumvented by low‑footprint techniques. As more infostealers adopt the debugger‑based ABE bypass, security teams must evolve their monitoring to detect debugger activity, hardware breakpoints, and anomalous memory reads. Continuous threat intelligence updates and proactive EDR tuning will be essential to stay ahead of this evolving landscape.
For further details, review the original AlienVault Pulse: hxxps://otx[.]alienvault[.]com/pulse/69bd18a56a2163e596b86133 and the Gen Digital blog post: hxxps://www[.]gendigital[.]com/blog/insights/research/voidstealer-abe-bypass.

