{
  "name": "VoidStealer: Debugging Chrome to Steal Its Secrets",
  "slug": "voidstealer-debugging-chrome-to-steal-its-secrets",
  "description": "VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.",
  "published": "2026-03-20T09:51:33.321000+00:00",
  "created_at": "2026-03-20T21:18:20.934000+00:00",
  "modified_at": "2026-03-20T20:18:20+00:00",
  "created_at_opencti": "2026-03-20T21:18:20.934000+00:00",
  "author": "AlienVault",
  "confidence": 100,
  "report_types": [
    "threat-report"
  ],
  "labels": [
    "abe bypass",
    "chrome",
    "debugger-based technique",
    "edge",
    "hardware breakpoints",
    "infostealer",
    "memory analysis",
    "v20_master_key extraction",
    "voidstealer"
  ],
  "tags": [
    "2026-03-20",
    "abe bypass",
    "chrome",
    "debugger-based technique",
    "edge",
    "hardware breakpoints",
    "infostealer",
    "memory analysis",
    "v20_master_key extraction",
    "voidstealer"
  ],
  "related_entities": {
    "indicators": [
      {
        "id": "2b69f983-3a94-4059-b481-7d77a4d3b8d0",
        "name": "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4"
      }
    ],
    "intrusion_sets": [
      {
        "id": "caa7f1ad-537d-4df9-99d4-7aad4cf3fdac",
        "name": "VoidStealer",
        "slug": "voidstealer"
      }
    ],
    "malware": [
      {
        "id": "fe08beba-5fdd-4853-a476-39f96e90b956",
        "name": "VoidStealer",
        "slug": "voidstealer"
      }
    ],
    "observables": [
      {
        "id": "",
        "name": "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4"
      }
    ]
  },
  "external_refs": [
    {
      "id": "1fb9434e-0bd5-4ed2-a018-0fb1eefd136e",
      "standard_id": "external-reference--3bcf347f-e96b-531a-841b-4b86624941d3",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://otx.alienvault.com/pulse/69bd18a56a2163e596b86133",
      "hash": null,
      "external_id": "69bd18a56a2163e596b86133",
      "created": "2026-03-20T21:18:18.164Z",
      "modified": "2026-03-20T21:18:18.164Z",
      "createdById": null
    },
    {
      "id": "234563cc-0f4b-42dd-bd8d-4aba1b4781b2",
      "standard_id": "external-reference--871a7a3c-4cc6-58bc-b019-72f3d217c92e",
      "entity_type": "External-Reference",
      "source_name": "AlienVault",
      "description": null,
      "url": "https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass",
      "hash": null,
      "external_id": null,
      "created": "2026-03-20T21:18:18.187Z",
      "modified": "2026-03-20T21:18:18.187Z",
      "createdById": null
    }
  ]
}