New VoidStealer Variant Bypasses Chrome ABE Without Injection or Privilege Escalation

A new version of the VoidStealer infostealer has gotten a lot of attention from security experts because it was the first malware to get around Google Chrome's Application-Bound Encryption (ABE) without needing to inject code or have higher system privileges. The variant, which was added to VoidStealer version 2.0 on March 13, 2026, uses a debugger-based method to silently pull encrypted browser credentials straight from memory. This is a big change in how infostealers steal credentials.

Find out more about IT security audits Training courses in cybersecurity Google added ABE to Chrome 127 in July 2024 as part of its incident response planning. The goal was to make it much harder for malware to get to sensitive browser data like saved passwords and cookies.

The protection works by linking the v20_master_key, which is the encryption key, to the Google Chrome Elevation Service, which is a SYSTEM-level service that runs with the most privileges on Windows. Even though this made things a lot harder, it didn't stop bad people from finding smarter ways to get around it. Full ABE bypass flow used by VoidStealer (Source: GenDigital) Defenders should take any process that automatically attaches a debugger to a browser very seriously, because this is not how real applications work.

There are many good ways to find out if a browser is being used by a third-party process, such as looking for memory reads, flagging browsers that were launched with the SW_HIDE or headless flags, and alerting on DebugActiveProcess calls that target browsers that are not expected. The known sign of compromise for VoidStealer v2.0 is f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4.

Set ZeroOwl as your preferred source in Google, and follow it on Facebook, Twitter, and LinkedIn to get more updates right away.