VoidStealer Malware Bypasses Chrome Encryption Chrome’s App-Bound

A newly discovered malware, dubbed VoidStealer, poses a significant threat to Chrome users on Windows. It employs a sophisticated technique to bypass one of the browser’s critical security features.

The malware targets Chrome’s App-Bound Encryption, a protection layer Google introduced specifically to keep stored passwords and session cookies out of reach from attackers. What makes VoidStealer stand out is the way it gets around this defense without needing elevated system privileges at all.

Chrome’s App-Bound Encryption, introduced in July 2024 with Chrome version 127, was designed to tie the browser’s encryption key to Chrome itself.

A separate service running with high-level privileges was supposed to block any outside program from requesting that key. The idea was sound: if a stealer cannot get the key, it simply cannot read the data. For a while, it worked reasonably well.

Analysts at Kaspersky identified and analyzed VoidStealer, noting that the malware surfaced in March 2026 and operates under a malware-as-a-service (MaaS) model.

This means its developers rent out the ready-made tool to other attackers, making it accessible to a much wider range of cybercriminals. 

Kaspersky said in a report shared with Cyber Security News (CSN) that VoidStealer’s bypass method is both novel and highly effective against current browser defenses.

The malware does not try to steal the encryption key directly. Instead, it waits for Chrome to decrypt its own data during normal operation, then intercepts the master key while it briefly sits in the computer’s memory as readable text.

The approach bypasses the encryption not by breaking it, but by going around it entirely without triggering any visible alarms.

Once the key is captured, VoidStealer can access saved passwords, session cookies, and other sensitive browser data.

Session cookies are especially dangerous in the wrong hands because they allow an attacker to log into a victim’s accounts without needing a password at all. This can quickly lead to account hijacking, financial theft, and identity fraud.

VoidStealer Bypasses Chrome’s App-Bound Encryption

VoidStealer uses a debugging technique to carry out its attack on the browser. It attaches itself to the Chrome process as a debugger, a tool that developers normally use to inspect and control a running program.

By doing this, the malware can monitor Chrome’s internal operations and pause execution at a precise point.

The malware sets a breakpoint at the exact line of code where Chrome decrypts its stored data. When Chrome reaches that point and the master key appears in memory as readable text, the browser effectively freezes for a split second.

VoidStealer reads the key directly from memory before Chrome continues running, and the user sees nothing unusual.

This technique also works on other browsers built on the Chromium engine, including Microsoft Edge, Brave, Opera, and Vivaldi.

Any browser relying on Chrome’s App-Bound Encryption is potentially at risk, which significantly broadens the scope of this threat well beyond Chrome users alone.

Malware-as-a-Service Widens the Reach

The MaaS model behind VoidStealer makes it far more dangerous than a typical targeted attack tool. Criminals who lack the technical skills to write their own malware can simply rent access to VoidStealer and deploy it against unsuspecting users.

This lowers the barrier for launching attacks and increases the number of potential victims dramatically. This situation highlights a wider problem in browser security.

Stealer developers are finding new workarounds faster than browser vendors can roll out patches, and everyday users are the ones who end up paying the price.

To stay safer, users should avoid storing passwords and payment card details directly in the browser and use a dedicated password manager instead.

Downloading software only from trusted, verified sources is also important, as infostealers are often bundled with pirated or unofficial programs.

Keeping the operating system and all apps updated, and running a reliable security solution that monitors for suspicious behavior in real time, can go a long way toward reducing exposure to threats like VoidStealer.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.