VoidStealer Malware Cracks Chrome’s Master Encryption Key with Novel Hardware Breakpoint Technique

An information stealer called VoidStealer employs a novel technique to bypass Chrome’s Application-Bound Encryption (ABE) and extract the master key needed to decrypt sensitive data stored in the browser.

This sophisticated method utilizes hardware breakpoints to obtain the v20_master_key—the encryption and decryption key—directly from the browser’s memory. Notably, it accomplishes this without requiring privilege escalation or code injection.

According to a report from Gen Digital, the parent company of Norton, Avast, AVG, and Avira, this marks the first documented case of an infostealer in the wild employing such a technique.

Google launched ABE in Chrome 127, released in June 2024, as a security measure designed to protect cookies and other sensitive browser data. The system keeps the master key encrypted on disk, preventing recovery through standard user-level access.

To decrypt the key, the Google Chrome Elevation Service, which operates at the SYSTEM privilege level, must validate the requesting process.

Overview of how ABE blocks out malware
Overview of how ABE blocks out malware
Source: Gen Digital

Despite its design, multiple infostealer malware families have successfully circumvented this protection, with techniques even demonstrated in publicly available tools. While Google has released patches and enhancements to address these bypasses, newer malware variants have continued to succeed through alternative methods.

“VoidStealer represents the first infostealer documented in the wild that employs a cutting-edge debugger-based Application-Bound Encryption bypass leveraging hardware breakpoints to extract the v20_master_key directly from browser memory,” explains Vojtěch Krejsa, a threat researcher at Gen Digital.

VoidStealer operates as a malware-as-a-service (MaaS) platform that has been promoted on dark web forums since mid-December 2025. Version 2.0 introduced the innovative ABE bypass mechanism.

Cybercriminals announcing ABE bypass in version 2.0
Cybercriminals advertising ABE bypass in VoidStealer version 2.0
Source: Gen Digital

Stealing the master key

VoidStealer’s method for extracting the master key targets a brief window when Chrome’s v20_master_key exists unencrypted in memory during decryption operations.

The malware launches a suspended, hidden browser process and attaches itself as a debugger, then waits for the target browser DLL (chrome.dll or msedge.dll) to be loaded into memory.

Once loaded, it searches the DLL for a specific string and the LEA instruction referencing it, then uses that instruction’s address as the location for a hardware breakpoint.

VoidStealer's target string
VoidStealer’s target string
Source: Gen Digital

The malware then applies this breakpoint to all existing and newly created browser threads. When the breakpoint triggers during startup as the browser decrypts protected data, it reads the register containing a pointer to the plaintext v20_master_key and retrieves it using ‘ReadProcessMemory.’

Gen Digital notes that the optimal timing for this attack is during browser startup, when ABE-protected cookies are loaded early, triggering decryption of the master key.

The researchers indicate that VoidStealer likely adapted this technique from the open-source project ‘ElevationKatz,’ which is part of the ChromeKatz cookie-extraction toolkit designed to expose Chrome vulnerabilities.

While the implementations differ in some respects, VoidStealer’s approach appears to be derived from ElevationKatz, which has been publicly available for over a year.

Related Articles

Back to top button