[weglot_switcher]
How Infostealers Are Bypassing New Chrome Security Feature to Steal User Session Cookies

How Infostealer Malware Bypassed Chrome’s App-Bound Cookie Encryption

Table of Contents

Check your exposure

In July, Google rolled out a new security feature for Chrome to help protect user authentication cookies called Application-Bound Encryption, or App-Bound Encryption. This feature improved the resilience of user session cookies to token theft by infostealer malware by making it so that encrypted cookie data on Windows devices are bound to the Chrome application. Before this feature, any application running as the logged in user on a Windows device – including infostealer malware on infected devices – could access this cookie data.

While the release of this feature temporarily saw several stealer families stop their distribution, SpyCloud and public reporting sources have now observed actors claiming they have bypassed the Chrome security feature and are able to exfiltrate unencrypted cookies from the newest versions of Chrome. We have observed these claims from the maintainers of the following infostealer malware families:

How Infostealers Are Bypassing New Chrome Security Feature to Steal User Session Cookies

Telegram message from a developer of the open-source infostealer Phemedrone announcing the Chrome bypass. (Automatically translated from Russian)

SpyCloud analysts have reverse-engineered the bypass deployed in Phemedrone, an open-source infostealer, and are able to independently confirm the claims of a bypass.

To avoid turning our research into an instructional manual for other actors seeking to emulate the success of the aforementioned malware families, in this blog we’ll focus on providing security teams with the information they need to minimize their risk by protecting their environments.

About the Google Chrome Application-Bound Encryption bypass

At the time of publishing this article, the Application-Bound Encryption feature is enabled in the Windows version of Chrome by default. Infostealer developers appear to have discovered that they can use Chrome’s internal API – intended for remote management and testing – as a method to bypass this cookie encryption.

Users can enable remote debugging on Chrome over a specified port. Once this is enabled, the debugging port can be interacted with to send commands, one of which allows for users to dump all cookies.

Defenders should be on the lookout for Chrome processes that are spawned with:

“--remote-debugging-port=”

Defenders should also be on the lookout for processes that then access the remote debug port that is spawned above. Additionally, defenders should be on the lookout for any unexpected traffic to port 9222.

This bypass does not need to leverage process hollowing or memory scraping, which is normally noisier, and thus would raise more red flags for defenders. Instead, the bypass that we have observed Phemedrone using is relatively stealthy because it uses native debugging features within Chrome to capture the data. Additionally, while App-Bound Encryption is only enabled in Windows, this attack also bypassess Mac’s Keychain protections and Linux’s secret storage protections, allowing cookies to easily be stolen from all three operating systems.

While we have not specifically examined the means by which other malware families have bypassed the new Application-Bound Encryption feature, based on our review of the remote management API, it is likely that other malware is making use of the same method.

How do I check if my organization’s Chrome session cookies have already been stolen by infostealers?

Run Check Your Exposure to see whether session cookies tied to your domain have been stolen and exposed. As this research shows, infostealers have bypassed Chrome’s App-Bound Encryption to exfiltrate cookies from up-to-date browsers, so a current Chrome version is not proof your sessions are safe. SpyCloud matches your domain against its recaptured darknet data and surfaces the stolen cookies and credentials linked to your organization.

Check your exposure for free →

What should security teams do to protect themselves?

This Chrome Application-Bound Encryption bypass is just another development in the cat and mouse game between infostealer developers and defenders who want to protect the integrity of their IAM processes.

And it’s another great example of how quickly cybercriminals can adapt to new security features: App-Bound Encryption was released on July 30, 2024 and we first observed evidence of bypass capabilities as early as September 12, 2024, less than 45 days later.

Security teams should use a layered approach, including continuously monitoring recaptured darknet data, to make sure that bad actors aren’t able to steal or use their users’ authentication cookies. We recommend:

Post-infection remediation for malware

When a malware exposure is detected, while it is still best practice to isolate, image, and wipe the device, if accessible, we recommend additionally implementing a more comprehensive post-infection remediation plan into your playbooks:

See how SpyCloud helps teams identify compromised data and prevent session hijacking 

FAQs

App-Bound Encryption is a Chrome security feature introduced in July 2024 that binds encrypted cookie data to the Chrome application itself, preventing other applications (including malware) from accessing sensitive authentication cookies on Windows devices.

Modern infostealers bypass Chrome’s security by exploiting Chrome’s remote debugging API, scraping browser memory, or manipulating COM interfaces to extract unencrypted authentication cookies that can be used for session hijacking.

Multiple families have successfully bypassed App-Bound Encryption including Phemedrone, LummaC2, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake, Meta, and Lumar.

Attackers bypassed it. App-Bound Encryption raised the cost of reading the cookie store, but infostealer developers built working bypasses within weeks and are again exfiltrating unencrypted cookies from the newest versions of Chrome. A browser-level control does not invalidate a cookie an attacker already exfiltrated. Run Check Your Exposure to see which session cookies tied to your domain are already exposed, so you can invalidate the affected sessions rather than assume the browser handled it.

Monitor for Chrome processes spawned with “–remote-debugging-port=” switches, unexpected traffic to port 9222, and continuously scan recaptured darknet data for employee and customer authentication artifacts.

Immediately isolate affected devices, reset all passwords for accounts accessed from the infected device, invalidate active web sessions and tokens, review access logs for unauthorized activity, and implement continuous monitoring for malware-exfiltrated data in criminal underground sources.

Keep reading

Illustration of a research agent with network connections for cybersecurity.
Introducing Research Agent: Your Investigations Team Just Got An Unfair Advantage
SpyCloud’s Research Agent is an agentic investigation tool that plans pivots, correlates identities, and returns finished intelligence grounded in over one trillion recaptured criminal-source assets. Every finding cites a specific verifiable record.
SpyCloud logo with FortiBleed threat actor infrastructure background.
More Than a Leak: What SpyCloud Found Inside the FortiBleed Threat Actor Infrastructure
SpyCloud Labs analyzed the media-dubbed “FortiBleed” leak and found that initial reports left some key information out. See what we found after parsing and analyzing the data to understand the full impact.
Kali365 PhaaS kit overview for cybersecurity and threat detection.
Kali365: Anatomy of a Microsoft 365 Phishing-as-a-Service Kit – From Telegram Hype to FBI Takedown Theater
SpyCloud researchers dissect Kali365, a Telegram-sold phishing-as-a-service kit targeting Microsoft 365. Using device-code and adversary-in-the-middle phishing, it steals OAuth tokens and session cookies to bypass MFA – then staged a fake FBI "shutdown" while operations continued. Here's how the kit works, who it targets, and why password resets won't stop it.

Check Your Company's Exposure

See your real-time exposure details powered by SpyCloud.

Research Agent is now available: Close cases in minutes with agentic investigations

X