VoidStealer v2.0: First Infostealer to Bypass Chrome ABE via Hardware Breakpoints No Injection, No Escalation

• .What: First infostealer observed in the wild to bypass Chrome's Application-Bound Encryption via hardware breakpoints - without code injection or privilege escalation.
• .Who: All users of Chrome, Edge, and Chromium-based browsers on Windows. Data stolen enables downstream credential theft affecting any organization whose employees store passwords in browsers.
• .How: Hardware breakpoints set via CPU debug registers (DR0/DR7) intercept the plaintext decryption key during browser startup. Technique adapted from the open-source ElevationKatz project.
• .Data: Saved passwords, cookies, session tokens, autofill data including credit card numbers, payment card details, and cryptocurrency wallet data from 100+ browser extensions.
• .Actor: Unknown. VoidStealer is a MaaS offering sold on dark web forums including HackForums. Developer identity not attributed.
• .Impact: Enables mass credential theft at scale. Stolen credentials serve as initial access for ransomware, business email compromise, and account takeover.

On March 19, 2026, Gen Digital published research documenting a novel capability in VoidStealer. Version 2.0, released on March 13, 2026, introduced the first debugger-based ABE bypass observed in real-world malware.

Google introduced Application-Bound Encryption in Chrome 127 on July 30, 2024, as its flagship defense against infostealer credential theft.

ABE replaced user-scoped DPAPI encryption with a dual-layer system: sensitive browser data is encrypted with a v20_master_key that undergoes two rounds of DPAPI encryption - first with the SYSTEM master key, then with the user's key.

Decryption requires calling the IElevator COM interface via the GoogleChromeElevationService running at SYSTEM privileges, with path validation ensuring only the legitimate Chrome binary can request the key.

ABE lasted 45 days before the first bypass appeared in the wild. By September 2024, SpyCloud documented nine stealer families with confirmed bypasses: Phemedrone, LummaC2, Meta, Lumar, Meduza, Vidar, Stealc, Rhadamanthys, and WhiteSnake.

Elastic Security Labs documented five bypass techniques: embedded ChromeKatz memory scraping, COM-based IElevator exploitation, Chrome DevTools remote debugging, direct memory copying via NtReadVirtualMemory, and reflective process hollowing.

Every technique required at least one detectable behavior: code injection, SYSTEM escalation, or remote debugging port activation.

VoidStealer v2.0 requires none of these. Its hardware breakpoint technique does not inject code, does not escalate privileges, does not activate a debugging port, and writes zero bytes to browser memory.

Five days later, v2.1 shipped on March 18. The malware has undergone 12 total iterations since December 2025.

Step 1: VoidStealer creates a hidden, suspended Chrome or Edge process via CreateProcessW with CREATE_SUSPENDED and SW_HIDE flags, then attaches as a debugger via DebugActiveProcess.

Step 2: The malware monitors for LOAD_DLL_DEBUG_EVENT via WaitForDebugEvent, watching for chrome.dll or msedge.dll to load.

Step 3: It scans the DLL's .rdata section using ReadProcessMemory for the string "OSCrypt.AppBoundProvider.Decrypt.ResultCode" - a landmark in the decryption code path.

Step 4: It scans the .text section for byte sequence 48 8D 0D (x86-64 LEA instruction), extracts the displacement, and calculates the address referencing the target string - locating the exact instruction where the plaintext key is accessible.

Step 5: For each browser thread, VoidStealer suspends the thread, writes the breakpoint address to DR0, enables it via DR7 using SetThreadContext, and resumes. Hardware breakpoints are implemented in silicon - no memory modification required.

Step 6: When the breakpoint fires during browser startup, execution pauses. VoidStealer reads the v20_master_key pointer from R15 (Chrome) or R14 (Edge) via two ReadProcessMemory calls. The plaintext key is extracted.

With that key, every saved password, cookie, session token, autofill entry, and payment card in the browser is decryptable.

Google designed ABE to force attackers into detectable postures. All nine prior bypass families fell into at least one: code injection triggers EDR rules for cross-process memory writes; SYSTEM escalation generates ETW events; remote debugging creates listening ports.

Hardware breakpoints produce none of these signals. The breakpoint exists only in CPU registers, which are not inspectable by most endpoint security tools without kernel-level instrumentation. ABE's threat model assumed attackers would get noisier.

Hardware breakpoints are silent.

VoidStealer adapted its technique from ElevationKatz, an open-source tool by Meckazin on GitHub. ElevationKatz v0.7 was released August 29, 2025 - thirteen months after ABE shipped. It has been publicly available for more than six months before VoidStealer weaponized it.

The transition from proof-of-concept to criminal tool follows the same pattern as Mimikatz and Cobalt Strike.

Beyond the ABE bypass, VoidStealer harvests credentials from 20+ browsers, data from 100+ extensions including cryptocurrency wallets, and implements a fallback bypass via process injection and IElevator COM interface. C2 uses dynamic resolution via Telegram and Steam.

A single victim can yield 12,000+ cookies and 1,200+ autofill entries.

SHA-256 (v2.0): f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4

AV Detection: Avast Win64:MalwareX-gen [Pws] | ESET Win64/PSW.Agent.SX | Kaspersky Trojan-PSW.Win32.Vidar.idm | Microsoft PWS:Win64/WallStealer.CI!MTB

Behavioral indicators: DebugActiveProcess targeting chrome.exe/msedge.exe from non-browser process; ReadProcessMemory against browser memory; SetThreadContext modifying DR0/DR7 on browser threads; browser processes spawned with SW_HIDE or CREATE_SUSPENDED flags.

No C2 domains, IPs, or Telegram identifiers have been published in any public reporting.

• .CCPA/CPRA: Organizations whose employee browser credentials are stolen leading to unauthorized access to California residents' personal information face notification obligations and $7,500 per intentional violation.

• .HIPAA: Healthcare organizations whose employees store portal credentials in browsers create a pathway from infostealer infection to PHI exposure. Fines up to $2.1M per violation category per year.

• .PCI DSS 4.0: Payment card data stored in browser autofill is directly targeted. Requirement 3 and 8 exposure.

• .GDPR (Articles 5, 32, 33, 34): Browser-based password storage with no additional authentication falls short of Article 32 "appropriate technical measures." Fines up to EUR 20M or 4% turnover.

• .Saudi PDPL: NCA Essential Cybersecurity Controls mandate credential management practices prohibiting browser-based storage on critical systems. Fines up to SAR 5M.

• .UAE PDPL: Fines up to AED 10M. TDRA requires appropriate technical measures.

• .FTC Act Section 5: Browser-based password storage without enterprise password manager enforcement is increasingly indefensible as a "reasonable" security practice.

1. VoidStealer's operator has not been identified. No attribution to a specific individual, group, or nation-state has been attempted by any vendor.

2. MaaS pricing has not been documented. Comparable stealers price at $200-800. VoidStealer's cost is unknown.

3. Infection telemetry has not been published. The number of VoidStealer infections, geographic distribution, and most-targeted industries are unknown.

4. No C2 infrastructure specifics have been published. No domains, IPs, Telegram bot IDs, or Steam profiles for C2 resolution appear in any public report.

5. Google has not issued a VoidStealer-specific response. Whether planned Chrome hardening will address the hardware breakpoint technique specifically is unconfirmed.

Google built ABE to force infostealers into noisy behavior. Code injection. SYSTEM escalation. Remote debugging ports. Nine stealer families adapted within 45 days. All nine did exactly what Google predicted - they got noisier. And for a period, defenders could detect them.

VoidStealer broke that contract. It found a path that produces no code injection, no privilege escalation, no memory writes, and no open ports. It uses CPU debug registers - silicon-level features that exist below the visibility of most endpoint security tools.

ABE's threat model no longer holds.

The technique was not novel when VoidStealer deployed it. ElevationKatz demonstrated the identical approach on GitHub on August 29, 2025. The tool sat in a public repository for six months before a criminal operation adopted it.

The transition from proof-of-concept to weaponized malware was not a matter of if. March 13, 2026, was when.

ABE was always a mitigation, not a solution. The v20_master_key must exist in plaintext in browser memory at some point during normal operation. Any attacker who can attach to the browser process and time their observation correctly will extract that key.

Hardware breakpoints are one method. Future methods will find other moments of plaintext exposure.

This leads to the only defensive conclusion that matters: stop storing credentials in browsers. Enterprise password managers - 1Password Business, Bitwarden Organizations, Dashlane Business, Keeper Enterprise - eliminate the credential database that infostealers target.

VoidStealer can extract Chrome's v20_master_key and decrypt Chrome's Login Data database, but if that database is empty because credentials are stored in 1Password, there is nothing to decrypt.

Deploy with organization-enforced policies that disable Chrome's built-in password manager. Chrome Enterprise policy PasswordManagerEnabled set to false disables credential save prompts entirely.

Endpoint detection must cover debugger-based attacks. VoidStealer's behavioral chain has invariant indicators: a non-browser process calls DebugActiveProcess targeting chrome.exe or msedge.exe; browser threads have their DR0/DR7 registers modified via SetThreadContext.

No legitimate software attaches a debugger to a user's Chrome session without explicit developer action. EDR rules should flag any autonomous debugger attachment to a browser process as a critical alert.

FIDO2 hardware security keys eliminate the value of stolen passwords entirely. Even if VoidStealer harvests every credential in Chrome's database, those credentials cannot authenticate to FIDO2-protected services - authentication requires physical possession of the hardware key.

Deploy for all administrative accounts, VPN, email, and sensitive services.

VoidStealer is not the last stealer to bypass ABE. Google is developing Device Bound Session Credentials (DBSC) as a long-term replacement. Until DBSC ships, the browser credential database remains the single most valuable target in the infostealer ecosystem.

Every credential stored there is one infection away from the dark web.

Gen Digital, BleepingComputer, CSO Online, Computerworld, CybersecurityNews, CyberPress, Cryptika, GBHackers, BlackFog, Elastic Security Labs, SpyCloud, SpecterOps, PCRisk, Xcitium ThreatLabs, The Hacker News, Arabian Post, GitHub (Meckazin/ChromeKatz, xaitax), Google Chrome Developer Documentation, ZERO|TOLERANCE prior coverage (Infiniti Stealer macOS ClickFix Nuitka)