ChromElevator
ChromElevator is a publicly available/open-source post-exploitation browser data theft tool focused on Chromium-based browsers. Across the provided reporting, it is consistently described as capable of stealing passwords, cookies, login information, web data, authentication data, and payment card data from Chrome-family browsers, and as specifically designed to bypass or get around Chromium/Google App-Bound Encryption (ABE) protections. Multiple sources describe it as injecting into suspended target browser processes or hooking Chrome renderer processes, decrypting the browser master key, and covertly exfiltrating recovered data.
Observed usage shows ChromElevator being embedded or delivered by multiple malware families and intrusion sets rather than acting as a standalone campaign identity. It was used by the Iran-linked espionage group Seedworm/MuddyWater/Static Kitten in early 2026, embedded in malicious DLLs (fmapp.dll and sentinelagentcore.dll) loaded via DLL sideloading with legitimate signed binaries such as fmapp.exe and sentinelmemoryscanner.exe. In those incidents, it supported credential and browser-data theft during espionage intrusions affecting organizations across manufacturing, government, education, financial services, and an international airport. CERT-UA also reported UAC-0247 using CHROMELEVATOR to steal browser authentication data in attacks against Ukrainian local governments, municipal healthcare institutions, Defense Forces representatives, and FPV drone operators.
The tool also appears in cybercrime malware ecosystems. It was delivered by the NYX malware from malicious npm packages as chromelevator.exe downloaded from amoboobs[.]com/arquivos/chromelevator.exe; used by the FAUX#ELEVATE campaign via components x.exe and ps.exe to extract Chromium credentials in French-speaking corporate environments; embedded in Arkanix Stealer’s native C++ build for browser credential theft; referenced in SantaStealer reporting as the Chromium credential-theft component; used by Stealit through save_data.exe to grab Chromium browser data; and observed in a multi-stage infostealer chain where a secondary module chromelevator.bin was downloaded from C2 for Chrome browser injection.
High-confidence indicators and filenames directly mentioned in the content include chromelevator.exe, chromelevator.bin, x.exe, ps.exe, save_data.exe, fmapp.dll, sentinelagentcore.dll, and the URL hxxp://amoboobs[.]com/arquivos/chromelevator.exe. Related families explicitly mentioned in the content include BluelineStealer and ChromElevator.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Both malicious files carried ChromElevator, a tool capable of stealing passwords, cookies, and payment data from web browsers.
Both malicious files carried ChromElevator, a tool capable of stealing passwords, cookies, and payment data from web browsers.
Stage 2: The Native Stealer While the Node.js RAT handles interactive operations, NYX downloads a second payload: chromelevator.exe, a 1.4 MB PE64 C/C++ binary hosted at hxxp://amoboobs[.]com/arquivos/chromelevator.exe.
Attackers used CHROMELEVATOR to pull authentication data and other stored credentials from internet browsers...
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 technique
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
3 techniques
Stealth
"...implant embedded within the resources of the C++ implementation... stealer extracts the payload to a temporary folder... and executes it"
Credential Access
3 techniques
Credential Access
Both the DLLs embed an open-source tool called ChromElevator to siphon passwords, cookies, and payment card data from Chromium-based browsers, effectively getting around App-Bound Encryption (ABE) protections.
Collection
1 technique
Collection
IOCs tracked for this family
29 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
18 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Browser credential theft tool used to steal passwords, cookies, and payment data from web browsers.
An open-source browser data theft tool used to steal passwords, cookies, and payment card data from Chromium-based browsers while bypassing App-Bound Encryption protections.
A post-exploitation tool used to steal passwords, cookies, and payment card data from Chromium-based browsers.
A commodity post-exploitation tool used to steal data stored in Chrome-based browsers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.