Infostealer Developers Claim They Can Bypass Chrome’s Cookie-Theft Protections

• Several infostealer developers claim their malware can bypass Chrome App-Bound Encryption.
• The threat actors mentioned the new development does not require admin rights or restart to work.
• Among the malware that can achieve this circumvention are Lumma Stealer, Vidar Stealer, and StealC.

Several infostealer malware developers claim to have successfully bypassed Google Chrome's App-Bound Encryption, a feature recently implemented to safeguard sensitive data, including cookies and stored passwords, as a recent report says.

This encryption method, introduced in Chrome version 127, leverages a Windows service running with system privileges to protect user data, effectively thwarting infostealer malware that operates under the logged-in user's permissions.

Typically, to breach App-Bound Encryption, malware would need system-level privileges or inject code into Chrome—actions likely to trigger alerts from security tools. 

However, according to security researchers g0njxa and RussianPanda9xx, several infostealer developers have announced successful bypasses for their tools, such as MeduzaStealer, Whitesnake, Lumma Stealer, Lumar (PovertyStealer), Vidar Stealer, and StealC.

G0njxa confirmed that the latest variant of Lumma Stealer can circumvent Chrome 129's encryption feature. Testing was conducted on a Windows 10 Pro system in a controlled sandbox environment.

Meduza and WhiteSnake implemented their bypass mechanisms over two weeks ago. Lumma followed suit last week, while Vidar and StealC unveiled theirs this week.

Lumma's response to App-Bound Encryption initially involved a temporary solution requiring admin rights. However, they have since developed a method that functions using the logged-in user's permissions. The Lumma Stealer developers assured users that admin privileges are unnecessary for successful cookie theft.

While the specifics of how these bypasses were accomplished remain undisclosed, the creators of Rhadamanthys malware claimed that reversing the encryption took them just 10 minutes.

Chrome's App-Bound Encryption represents a robust step forward in browser security, but as this incident illustrates, the cybersecurity community must remain vigilant and proactive in countering such threats.

Infostealers are one of the main malware types used by threat actors, and Lumma Stealer, StealC, and Vidar Stealer were among the most seen this year.