EXECUTIVE SUMMARY:
VoidStealer is a infostealer malware designed to extract sensitive data from Chromium-based browsers by abusing internal debugging mechanisms. Unlike traditional credential stealers that rely on memory dumping or API hooking, VoidStealer leverages Chrome’s DevTools protocol to access protected data directly from the browser environment. This technique allows it to bypass modern security protections such as App-Bound Encryption (ABE), which is intended to safeguard stored credentials and cookies. The malware is often distributed through underground ecosystems as part of a Malware-as-a-Service (MaaS) model, lowering the barrier to entry for cybercriminals. Its emergence highlights a shift toward more stealthy and innovative data extraction methods that exploit legitimate browser functionality instead of injecting malicious code. By targeting widely used browsers, VoidStealer significantly increases its potential victim base, making it a notable threat in the evolving infostealer landscape.
The core technique used by VoidStealer involves abusing the Chrome DevTools remote debugging interface to interact with browser processes and extract sensitive information. Instead of escalating privileges or injecting code into protected processes, the malware launches or connects to a Chromium instance with debugging enabled, allowing it to programmatically query browser data. Through this interface, it can retrieve cookies, authentication tokens, and saved credentials, effectively bypassing App-Bound Encryption without directly breaking the encryption itself. This approach is particularly effective because it operates within the browser’s trusted context, making detection more difficult for traditional security tools. Additionally, VoidStealer avoids common indicators such as suspicious memory access patterns or privilege escalation attempts, further enhancing its stealth. The malware can also selectively target browser profiles and sessions, increasing efficiency and reducing noise.
VoidStealer represents a significant evolution in infostealer malware by demonstrating how legitimate browser features can be weaponized to bypass advanced security controls. Its ability to extract sensitive data without traditional exploitation techniques makes it harder to detect and mitigate using conventional defenses. The abuse of Chrome’s debugging protocol underscores the importance of securing not just vulnerabilities, but also legitimate functionalities that can be misused. This development signals a broader trend in cyber threats where attackers prioritize stealth, efficiency, and low-noise operations over noisy exploitation methods. Defenders must adapt by implementing stricter controls around browser debugging features, monitoring unusual browser launch parameters, and enhancing behavioral detection capabilities. Organizations should also educate users about the risks associated with running untrusted software that may silently enable such features.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Execution | T1204.002 | User Execution | Malicious File |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| T1106 | Native API | – | |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027 | Obfuscated Files or Information | – |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1552.001 | Unsecured Credentials | Credentials in Files | |
| Discovery | T1082 | System Information Discovery | – |
| Collection | T1005 | Data from Local System | – |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | – |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Collection | B0028 | Cryptocurrency |
| Command and Control | B0030 | C2 Communication |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Discovery | E1083 | File and Directory Discovery |
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/voidstealer-infostealer-chrome-edge-abe-encryption-bypass/
https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass