LSASS Credential Dumping × Google Chrome

A publicly-reported instance of LSASS Credential Dumping bypassing Google Chrome, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Google Chrome

Technique

LSASS Credential Dumping

MITRE ATT&CK

T1003.001

Confidence

High

Severity

High

Status

in the wild

Disclosed

2026-05-06

Config / version noted

Not stated

Provenance

darkreading.com
disclosed 2026-05-06 · original source · via brave
threataft.com
disclosed 2026-05-20 · original source · via exa

Reported as

VoidStealer Malware Bypasses Google Chrome's App-Bound Encryption

Mechanism

VoidStealer uses a novel method to circumvent Chrome's App-Bound Encryption, which is designed to tie encryption keys to the application identity. The malware likely operates with user-level privileges and exploits the way Chrome handles decryption requests, enabling it to extract and decrypt protected data without triggering endpoint detection.

Detection & mitigation

Monitor for suspicious processes accessing Chrome's Local State or Cookies files, especially from non-browser processes. Deploy endpoint detection rules for unusual file reads to browser profile directories and enforce application control to block untrusted executables.

LSASS Credential Dumping has also been recorded against

Microsoft

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.