{ "Event": { "analysis": "1", "date": "2026-03-19", "extends_uuid": "", "info": "[Threat Intel] VoidStealer: Debugging Chrome to Steal Its Secrets", "protected": false, "publish_timestamp": "1775245827", "published": true, "threat_level_id": "3", "timestamp": "1775245826", "uuid": "c6e940f7-ff09-4927-b3a3-6e7ab9b680d8", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#110041", "local": false, "name": "rectifyq:sub-category=\"malware-analysis\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1774062007", "to_ids": false, "type": "link", "uuid": "7b65a1b9-4a57-4079-9049-eb1eac2dde21", "value": "https://www.gendigital.com/blog/insights/research/voidstealer-abe-bypass", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1774062007", "to_ids": false, "type": "text", "uuid": "533e5bf6-3230-444f-82c3-c2bbdd842c3d", "value": "VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1774062007", "to_ids": false, "type": "text", "uuid": "337831f7-71b9-400f-95c0-8f83269c66e5", "value": "Name: VoidStealer: Debugging Chrome to Steal Its Secrets\nAuthor: AlienVault\nAdversary: VoidStealer\nTags: [\"abe bypass\", \"memory analysis\", \"edge\", \"debugger-based technique\", \"chrome\", \"voidstealer\", \"infostealer\", \"hardware breakpoints\", \"v20_master_key extraction\"]\nTgtd countries: []\nMlwr families: [\"VoidStealer\"]\nAttack_ids: []\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1774062007", "to_ids": false, "type": "threat-actor", "uuid": "80427ae5-b67b-47ec-b0df-5c5ed4ff8663", "value": "VoidStealer" } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1775240092", "uuid": "081355bb-ae8f-4dbc-9602-8a3d07876507", "Attribute": [ { "category": "Payload delivery", "comment": "VoidStealer v2.0", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1775240092", "to_ids": true, "type": "md5", "uuid": "e70225bb-2c66-4cdb-a3a6-17b62623a586", "value": "befd84a29522d4350ae2f674f2ffcd8b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VoidStealer v2.0", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1775237432", "to_ids": true, "type": "sha1", "uuid": "7f231707-fa05-4348-9617-06ada1684bb9", "value": "86cb3e6750f76c5d2d7eaeb176f5a5b92a2fbf7b", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "VoidStealer v2.0", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1775237432", "to_ids": true, "type": "sha256", "uuid": "687341f5-3cd7-4d86-b565-4ee2ccf87a49", "value": "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1775236188", "to_ids": true, "type": "ssdeep", "uuid": "bf579fb8-3082-4f1f-81a1-75dd69b02d06", "value": "24576:lbFTGIponkrtYHiiKP2c1hyc9xTdWufJGYiCp5/WFEFVMOsSQJ+p+d:WxnNLq1R9xRlGhCp5EI" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1775236188", "to_ids": false, "type": "size-in-bytes", "uuid": "696238e4-1fc7-45bf-8d31-7de34393a92d", "value": "1764352" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1775236188", "to_ids": true, "type": "vhash", "uuid": "52b7f3d0-48db-4bc1-b4e3-14e4f84d6057", "value": "016076656d155d05555153z20600bc7z7045z2011z65za7z" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1775236188", "to_ids": true, "type": "filename", "uuid": "cb9ebe8d-4280-4503-9b98-fa354ca686b5", "value": "f783fde5cf7930e4b3054393efadd3675b505cbef8e9d7ae58aa35b435adeea4.exe" }, { "category": "Other", "comment": "Checked: 04/04/2026\nLast-scan\t: 03/04/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1775236188", "to_ids": false, "type": "text", "uuid": "9b2a4bee-6dc5-4239-947c-27c1d07b04ab", "value": "VoidStealer v2.0\r\nType Description: Win32 EXE\nMicrosoft: PWS:Win64/WallStealer.CI!MTB\nVT Total Detection:53/71\nFirst Submission:2026-03-23T09:15:55.000000+00:00\nLast Submission:2026-03-23T09:43:50.000000+00:00" } ] } ] } }