Chrome under attack: malware MaaS steals the master key in memory using hardware debugging and breakpoints

Not long ago, Google strengthened Chrome with a function designed to protect sensitive data such as cookies and credentials: Application-Bound Encryption (EBA), a layer that keeps the master key encrypted on disk and requires a service with system privileges to decipher it. The idea was to close an access path that information robbers (infostealers) had been exploiting for years. However, security researchers have detected a new actor who has found a different and stealth way to defeat that barrier.

The finding is documented by Gen Digital, the parent company of Norton, Avast, AVG and Avira. His report describes how a malware platform available as a service - known as VoidStealer - incorporated a debugging technique to capture the call v20 _ master _ key directly from the browser memory, at the exact moment it appears in flat text during a legitimate decryption process.

The key novelty is not in the ability to read memory - techniques to extract keys had already been demonstrated in open source tools - but in the form: VoidStealer starts a browser process in a suspended and hidden state, attached it as a debugger and waits for an important module (e.g. chrome.dll or msedge.dll) to load. From there it locates a specific instruction that refers a known text within the DLL and places a hardware interruption point about that address.

A hardware breakpoint is different from the classic methods of code injection or privilege lifting; it acts at the processor level and can temporarily stop the execution of a thread when it reaches a given instruction. VoidStealer applies that mechanism to all the threads of the target process and waits for the marked instruction to be executed during the browser start-up - when it forces the early reading and decryption of protected data. At that moment the malware reads the thread records to get a pointer to the memory block that contains the clear master key and the off-process copy with legitimate system calls like ReadProcessMemory. The result is that without climbing privileges or injecting code, attackers get the key needed to decrypt cookies and other secrets stored by the browser.

According to Gen Digital, this behavior did not come from nothing: the technique has similarities with open source components such asElevationKatz, part of the wholeChromeKatzthat already demonstrated practical weaknesses in Chrome's data protection. The dangerous difference is that this technique has now moved from the laboratory to the criminal market, integrated into a MaaS product that is advertised in clandestine forums since the end of 2025 and that in its version 2.0 added this bypass.

The case highlights an important point of modern security: the mitigations that protect the secrets at rest can be violated at the exact moment when a legitimate application performs legitimate operations to decipher them. The problem is not just the disk encryption, but the control of the processes that make the decipher.. If an attacker can observe these processes from within - even without high privileges - he can capture the keys as soon as they materialize in memory.

Chrome leaders have been deploying corrections and hardships to close known techniques, and the EBA concept itself was a step forward against trivial attacks. However, the emergence of purification-based vectors and breakpoint hardware shows that the game of the cat and mouse continues: defenders cover holes, researchers publish concept tests, and criminals sometimes integrate these tests into commercial tools.

For users and security equipment this has several practical implications. First, keeping the browser and operating system up to date remains the first line of defense, because many patches include hardening against process handling techniques. Secondly, the detection of activities that attempt to list, attach or purify legitimate processes should be part of the endpoint set of controls; hardware interruption points are more difficult to detect than injection techniques, but not impossible for advanced EDR solutions and system integrity policies. Finally, limiting the execution of unknown binaries and applying less privileged principle measures reduces exposure to such threats.

If you want to read the technical analysis that led to this news, Gen Digital published a report describing the chain of events and the logic of the attacker: Gen Digital report on VoidStealer. To see the open source piece that inspired the technique, the ChromeKatz project and its ElevationKatz component are available in GitHub: ChromeKatz repository. It may also be useful to consult the official notes of the Chrome versions in which EBA-related security improvements were introduced, available on the Google version blog: Chrome Releases.

The final message is sober: the defenses applied to the safe storage of secrets are necessary but not sufficient on their own. The attacks that observe and take advantage of legitimate times of prosecution demand a defense that combines constant patching, behavior monitoring and strict execution controls. And as researchers continue to publish techniques and concept tests, browser developers and security teams will have to adapt their strategies to make those exposure times more and more difficult to exploit.