VoidStealer infostealer implements hardware breakpoint technique to extract Chrome v20_master_key
Summary
Hide ▲
Show ▼
A new infostealer malware named VoidStealer has been observed in the wild using a novel hardware breakpoint-based technique to bypass Chrome’s Application-Bound Encryption (ABE) and extract the v20_master_key directly from browser memory. The malware leverages a suspended Chrome process, attaches as a debugger, and sets hardware breakpoints on specific DLL instructions to capture the plaintext master key during browser startup decryption operations. This method does not require privilege escalation or code injection, making it stealthier than prior bypasses. VoidStealer, offered as malware-as-a-service since at least December 2025, is the first infostealer confirmed to use this technique in the wild, though it appears to be derived from the open-source ChromeKatz toolset ElevationKatz.
Timeline
-
22.03.2026 16:32 1 articles · 2h ago
VoidStealer infostealer introduces hardware breakpoint-based ABE bypass to extract Chrome v20_master_key
VoidStealer, a malware-as-a-service infostealer active since at least December 2025, now implements a hardware breakpoint technique to bypass Chrome’s Application-Bound Encryption (ABE) and extract the v20_master_key directly from memory. The malware uses a suspended and debugged Chrome process to set hardware breakpoints on specific DLL instructions, waiting for the plaintext master key to appear during browser startup decryption operations. The extracted key enables decryption of locally stored sensitive browser data without requiring privilege escalation or code injection. This method, derived from the open-source ElevationKatz project, marks the first confirmed in-the-wild use of such a debugger-based ABE bypass by an infostealer.
Show sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32
Information Snippets
-
VoidStealer extracts the Chrome v20_master_key from memory using hardware breakpoints set via a debugged Chrome process, without requiring privilege escalation or code injection.
First reported: 22.03.2026 16:321 source, 1 articleShow sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32
-
The technique targets Chrome’s Application-Bound Encryption (ABE), introduced in Chrome 127 (June 2024), which encrypts the master key on disk and requires validation via the Google Chrome Elevation Service running as SYSTEM to decrypt.
First reported: 22.03.2026 16:321 source, 1 articleShow sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32
-
VoidStealer initiates a suspended and hidden Chrome process, attaches as a debugger, sets hardware breakpoints on chrome.dll or msedge.dll instructions related to v20_master_key decryption, and extracts the key via ReadProcessMemory during startup.
First reported: 22.03.2026 16:321 source, 1 articleShow sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32
-
VoidStealer is distributed as malware-as-a-service (MaaS) and first introduced the ABE bypass mechanism in version 2.0, advertised on dark web forums since at least mid-December 2025.
First reported: 22.03.2026 16:321 source, 1 articleShow sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32
-
The hardware breakpoint technique used by VoidStealer appears to be derived from the open-source project ElevationKatz, part of the ChromeKatz toolset, which has been available for more than a year.
First reported: 22.03.2026 16:321 source, 1 articleShow sources
- VoidStealer malware steals Chrome master key via debugger trick — www.bleepingcomputer.com — 22.03.2026 16:32