VoidStealer: Bypassing Chrome ABE via Remote Debugging Protocol

Understanding the VoidStealer Threat

According to BleepingComputer, researchers have identified a sophisticated new information stealer dubbed VoidStealer. This malware is specifically designed to target sensitive data stored within Chromium-based browsers, such as passwords, cookies, and credit card information. The primary innovation of this threat is its ability to bypass Chrome Application-Bound Encryption (ABE), a security feature Google introduced to mitigate the effectiveness of credential-harvesting Phishing and info-stealer campaigns.

Technical Analysis: The Remote Debugging Bypass

In version 127 of Google Chrome, a new security layer was implemented to protect the “Local State” file. This file contains the “app_bound_encrypted_key,” which is used to decrypt the rest of the browser’s sensitive data. ABE utilizes the Windows Data Protection API (DPAPI) but adds a layer that binds the encryption key to the identity of the specific application—in this case, chrome.exe. This mechanism ensures that even if a user is compromised, a different, unauthorized process cannot simply decrypt the key.

The VoidStealer Remote Debugging Trick

VoidStealer circumvents these protections by avoiding direct file-system interaction with the encrypted key. Instead, it utilizes a technical methodology that exploits the Chrome Remote Debugging Protocol. The malware initiates a new instance of the browser or attaches to an existing one using the --remote-debugging-port command-line flag.

Because the debugger is considered a legitimate component of the browser environment, it operates within the trusted context required to access the decrypted master key. This VoidStealer remote debugging trick allows the malware to programmatically request the key through the DevTools protocol, effectively tricking the browser into performing the decryption on behalf of the attacker. This bypass renders the encryption at rest ineffective because the decryption occurs within the authorized application boundary.

Data Exfiltration and C2 Infrastructure

Once the master key is retrieved, VoidStealer can decrypt all stored secrets. The harvested data—including session tokens that allow for Lateral Movement into corporate cloud environments—is bundled and transmitted to an attacker-controlled C2 server. This methodology demonstrates a shift in TTP away from traditional API hooking toward leveraging built-in administrative or developer features of the target application.

Detection and Remediation Recommendations

Defenders must adapt their monitoring strategies to account for these non-traditional exploitation paths. While there is currently no specific CVE associated with this design-level bypass, the behavior itself is highly anomalous in most enterprise environments.

How to Detect VoidStealer Malware

To effectively identify this activity, the SOC should focus on process telemetry. Organizations should configure their EDR or SIEM to alert whenever chrome.exe, msedge.exe, or other Chromium browsers are launched with the following command-line parameters:

• --remote-debugging-port=
• --user-data-dir= (especially when pointing to a temporary or non-standard directory)
• --headless (often used to hide the browser window from the user)

Furthermore, security teams should map these behaviors to the MITRE ATT&CK framework, specifically focusing on T1555 (Credentials from Password Stores) and T1539 (Steal Web Session Cookie). Restricting the ability of unauthorized binaries to spawn browser processes via Parent Process ID (PPID) spoofing detection can also serve as a preventative measure. Organizations should prioritize migrating to hardware-backed security keys for sensitive web sessions to mitigate the impact of stolen session tokens.