Founder, Cairn Intelligence. Cybersecurity researcher specialising in threat intelligence and OSINT investigation. Published CVE researcher (CVE-2025-9548). BSc Digital Security & Forensics, Glasgow Caledonian University.

4 minute read

If your staff save passwords in Google Chrome — and the majority do — there is a new piece of malware worth knowing about. It is called VoidStealer, it has been available to criminals since December 2025, and it is capable of stealing saved login credentials, cookies, and session data from Chrome even on a fully up-to-date computer.

This is not a reason to panic. It is a reason to make sure a few sensible precautions are in place.

What Is VoidStealer?

VoidStealer is what security researchers call an infostealer — malware designed not to lock your files or demand a ransom, but to quietly harvest valuable information and send it back to whoever is running it.

What makes VoidStealer notable is that it was built to defeat a specific security protection that Google added to Chrome in mid-2024. That protection — designed to prevent exactly this kind of theft — was supposed to make it far harder for malware to access the master key Chrome uses to protect all of your stored data. VoidStealer found a way around it.

The research was published by Gen Digital, the company behind Norton, Avast, and AVG.

What Can It Steal?

From a business owner’s perspective, the list is concerning:

  • Saved passwords stored in Chrome’s built-in password manager
  • Session cookies — small files that keep you logged into websites without needing to type your password again
  • Login tokens for cloud services, email platforms, and web applications

The session cookie point deserves attention. If an attacker obtains the cookie for your accounting software, your email, or your cloud file storage, they can access that account immediately — without needing your password and without triggering a multi-factor authentication prompt. From the website’s point of view, they look exactly like you.

Why Hasn’t Google Fixed This?

Google did try to fix it. In June 2024, they introduced a layer of encryption specifically to protect Chrome’s master key — the key that locks all your stored passwords and cookies. To access it, any software would normally need to pass a verification check that ordinary malware cannot pass.

VoidStealer version 2.0 works around this by exploiting a legitimate feature of Windows that is normally used by developers for debugging software. In simple terms: it secretly starts a hidden copy of Chrome, waits for a very brief moment during startup when Chrome briefly holds the unencrypted key in memory, and reads it at exactly that moment. No administrator access required.

The researchers note that the underlying technique was adapted from a publicly available proof-of-concept that has existed for over a year — meaning the approach was always a known risk. VoidStealer is simply the first malware seen actively using it.

How Does This Malware Actually Get In?

Like most infostealers, VoidStealer almost certainly arrives via one of two routes:

Phishing emails. A convincing email with a link or attachment that installs the malware when clicked or opened. The email might appear to come from a supplier, a delivery company, or even a colleague.

Malicious downloads. Staff downloading software, cracked applications, or files from unofficial sources. This is particularly common when people search for free versions of paid tools.

In both cases, the infection happens silently — there is nothing to indicate anything has gone wrong. The malware runs, collects what it needs, and sends it elsewhere.

What Should Your Business Do?

None of the steps below require specialist knowledge or significant spending. They are straightforward precautions that meaningfully reduce your exposure.

  • Do not rely on Chrome’s built-in password manager for business accounts. Use a dedicated password manager — tools such as Bitwarden, 1Password, or similar — which store credentials outside the browser and are not affected by this technique. This is good practice regardless of VoidStealer.

  • Enable multi-factor authentication (MFA) on everything that supports it. Even if an attacker obtains a password, MFA stops them logging in with it. Prioritise email, cloud storage, and any financial or accounting tools.

  • Remind staff to be cautious about email links and unsolicited attachments. This does not need to be a lengthy training programme — a short, clear reminder about checking the sender and not opening unexpected attachments goes a long way.

  • Ensure endpoint protection is installed and up to date. Reputable antivirus and endpoint security products are increasingly capable of detecting infostealer behaviour before data leaves the machine.

  • Keep software updated. While VoidStealer bypasses Chrome’s encryption layer, keeping all software — including the operating system — current reduces the overall attack surface and closes vulnerabilities that other malware exploits.

The Bigger Picture

Infostealers like VoidStealer do not make headlines the way ransomware does, partly because the damage is less immediately visible. A business may not know its credentials have been stolen until those credentials are used to access an account weeks later.

That quiet, delayed nature is what makes infostealers worth taking seriously. The practical steps above are not complicated — and for most small businesses, they represent a meaningful improvement in resilience with very little effort.

What Cairn Intelligence Does

Cairn Intelligence monitors active threats targeting small and medium-sized businesses, including newly emerging malware families like VoidStealer. Monthly briefings cover what is active, what it is targeting, and what practical steps to take.

If you would like to understand your current exposure, a free pilot engagement is available with no commitment.

Get in touch or email sam@cairnintelligence.com.

Cairn Intelligence — cairnintelligence.com — Published threat intelligence research at reports.cairnintelligence.com

Updated:

You May Also Enjoy