Malware

VoidStealer

VoidStealer is an information-stealing malware family offered under a malware-as-a-service model and publicly observed from at least December 2025, with reporting that it surfaced in March 2026. It targets Google Chrome on Windows and also affects other Chromium-based browsers that use Application-Bound Encryption (ABE), including Microsoft Edge, Brave, Opera, and Vivaldi. Its purpose is to obtain the browser’s v20_master_key so it can decrypt and steal ABE-protected browser data such as saved passwords, session cookies, and other sensitive stored data. Theft of session cookies can enable account hijacking, financial theft, and identity fraud.

Multiple reports describe VoidStealer as the first infostealer observed in the wild using a debugger-based ABE bypass that does not require elevated privileges or direct code injection into the browser. In this technique, VoidStealer launches a hidden browser process in a suspended state, resumes it, attaches as a debugger, waits for browser DLLs such as chrome.dll or msedge.dll to load, and identifies a decryption-related code location associated with the string "OSCrypt.AppBoundProvider.Decrypt.ResultCode." It then sets hardware breakpoints across browser threads and, when the breakpoint is hit during browser startup or legitimate decryption activity, reads the plaintext v20_master_key from browser memory using ReadProcessMemory. Reports note that the relevant register contains a pointer to the key when triggered, with R15 cited for Chrome and R14 for Edge. This method has been assessed as adapted from the public ElevationKatz project.

Supporting reporting also states that VoidStealer attaches to the browser as a debugger, pauses execution at the point where Chrome decrypts protected data, and extracts the master key directly from memory during the brief window when it exists in plaintext. Earlier reporting notes that VoidStealer implements two ABE bypass methods, including a noisier injection-based method invoking IElevator::DecryptData through COM and the newer debugger-based method introduced in version 2.0 on March 13, 2026. VoidStealer has been advertised on dark web forums since at least mid-December 2025 and evolved rapidly through versions 1.0 to 2.1.

High-confidence indicators mentioned in the content include the SHA-256 hash f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4 for VoidStealer v2.0.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

15 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

2 techniques

T1204User ExecutionEvidence1

Не устанавливать программы, полученные из сомнительных источников... Изучить, как устроена атака ClickFix, — в последнее время стилеры часто распространяются именно с помощью этой вредоносной тактики.

T1559.001Component Object ModelEvidence1

The first is a well-documented approach that involves injecting into the browser process and invoking IElevator::DecryptData from the browser's context via the COM interface.

Persistence

1 technique

T1543Create or Modify System ProcessEvidence1

VoidStealer begins by spawning a browser process via CreateProcessW with the CREATE_SUSPENDED and SW_HIDE flags. It then resumes the main thread and immediately attaches a debugger to the newly spawned process via DebugActiveProcess.

Privilege Escalation

3 techniques

T1055Process InjectionEvidence6

Чтобы воспользоваться этим «окном возможностей», вредоносное ПО подключается к процессу Chrome как отладчик...

T1055.009Proc MemoryEvidence2

When the breakpoint triggers, the R15 register for Chrome or R14 register for Edge holds a direct pointer to the v20_master_key, which VoidStealer then extracts using just two ReadProcessMemory calls.

T1543Create or Modify System ProcessEvidence1

Stealth

4 techniques

T1055Process InjectionEvidence6

Чтобы воспользоваться этим «окном возможностей», вредоносное ПО подключается к процессу Chrome как отладчик...

T1055.009Proc MemoryEvidence2

T1564.003Hidden WindowEvidence2

VoidStealer begins by spawning a browser process using CreateProcessW with SW_HIDE and CREATE_SUSPENDED flags... Monitoring for browser memory reads from third-party processes, flagging browsers launched with SW_HIDE or headless flags...

T1622Debugger EvasionEvidence6

...вредоносное ПО подключается к процессу Chrome как отладчик — инструмент, позволяющий управлять выполнением программы, приостанавливать ее и просматривать содержимое памяти.

Credential Access

5 techniques

T1003OS Credential DumpingEvidence3

It targets the moment when Chrome needs to decrypts data and uses it to sign into a website or to access saved credentials, she noted. To do this, Chrome exposes the master key in plaintext in browser memory; VoidStealer authors figured out a way to take advantage of that brief window of opportunity.

T1539Steal Web Session CookieEvidence5

Особенную ценность для злоумышленников представляют собой так называемые сессионные файлы cookie... кража таких файлов позволяет злоумышленнику использовать уже подтвержденную сессию без ввода логина и пароля от лица жертвы.

T1555Credentials from Password StoresEvidence1

The variant, introduced in VoidStealer version 2.0 on March 13, 2026, uses a debugger-based technique to silently extract encrypted browser credentials directly from memory... VoidStealer currently targets both Google Chrome and Microsoft Edge.

T1555.003Credentials from Web BrowsersEvidence3

Новый метод позволяет обходить механизм шифрования с привязкой к приложению (Application-Bound Encryption, ABE) Chrome — механизм для защиты сессионных файлов cookie и другой ценной информации, хранящейся в браузере.

T1649Steal or Forge Authentication CertificatesEvidence1

The core of VoidStealer’s novel bypass involves attaching itself to the Chrome or Edge browser as a debugger and setting hardware breakpoints at the exact moment when the v20_master_key is briefly present in memory as plaintext.

Discovery

3 techniques

T1057Process DiscoveryEvidence2

It then listens for debug events through WaitForDebugEvent, monitoring each DLL as it loads into the browser’s memory space. Once chrome.dll or msedge.dll loads, VoidStealer uses ReadProcessMemory to scan the DLL’s .rdata section...

T1518Software DiscoveryEvidence1

Зловред заранее находит участок кода, где происходит расшифровка данных.

T1622Debugger EvasionEvidence6

Collection

1 technique

T1005Data from Local SystemEvidence2

Именно таким образом вредоносное ПО ловит момент, когда мастер-ключ уже находится в оперативной памяти в виде открытого текста, и считывает его оттуда напрямую.

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Hashes

1 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting

hash.sha256●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

gendigitalNews

Jun 18, 2026

Gen Blogs | Inside Vidar’s ABE Bypass: From Memory Scanning to APC Injections

VoidStealer is referenced as another infostealer previously discussed in relation to ABE inner workings.

cyber security newsNews

May 19, 2026

New VoidStealer Malware Bypasses Chrome's App-Bound Encryption to Steal Passwords and Cookies

An infostealer targeting Chrome and other Chromium-based browsers on Windows. It bypasses Chrome’s App-Bound Encryption by attaching to the browser as a debugger, setting a breakpoint where Chrome decrypts data, and reading the master key from memory to steal saved passwords, session cookies, and other sensitive browser data.

kaspersky blogNews

May 6, 2026

How VoidStealer bypasses Chrome’s protections to hijack sessions and steal data | Kaspersky official blog

An infostealer that steals data stored by Chrome for Windows by bypassing Chrome’s App-Bound Encryption. It attaches to the Chrome process as a debugger, sets breakpoints at decryption code, and reads the browser master key from memory when it appears in plaintext. The operators run it under a malware-as-a-service model.

dark readingNews

May 6, 2026

Yet Another Way to Bypass Google Chrome's Encryption Protection

An infostealer trojan that bypasses Chrome's App-Bound Encryption by attaching to the browser as a debugger, pausing execution at the moment decryption occurs, and extracting the plaintext master key from browser memory to steal cookies, credentials, and other sensitive browser data.

+5 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping15

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.