App-Bound Encryption Bypass — Info stealers Chronology and Technique Inventory
Key findings
-
ABE did not break the infostealer ecosystem; it raised the cost and changed the technique mix. Within roughly two months of the July 2024 rollout, multiple stealer families claimed bypasses, and by late October 2024 researchers had confirmed working implementations. ABE's stated threat model never claimed to stop an attacker who can inject into Chrome or run as SYSTEM — both became the standard footholds.
-
The dominant primitive is in-process COM abuse. Because the ABE elevation service (
IElevator) validates the caller by executable path, the reliable bypass is to execute theDecryptDatacall from inside the legitimate browser's address space via DLL injection or process hollowing. This is the core of xaitax's PoC and of multiple in-the-wild families. -
Memory scraping (ChromeKatz lineage) sidesteps the key entirely. Rather than decrypt anything, tools walk the network-service process memory to read
CookieMonsterstructures whose cookie values are already plaintext. STEALC/VIDAR reimplemented ChromeKatz internally; EddieStealer followed in 2025. -
A cryptographic attack exists, not just engineering tricks. CyberArk's "C4 Bomb" (CVE-2025-34091) is a padding-oracle attack against the SYSTEM-DPAPI layer using Windows Event Log error feedback, recovering the key as a low-privileged user in ~16 hours — no injection required.
-
The three ABE CVEs are contested. All three (CVE-2025-34090/091/092) were assigned by VulnCheck as a third-party CNA on 2025-07-02, not filed by Google. CVE-2025-34090 is currently marked REJECTED by MITRE ("Neither filed by Chrome nor a valid security vulnerability"), while vulnerability databases still carry CVSS scores for all three. Treat them as research-attributed, not vendor-acknowledged vulnerabilities.
-
The frontier in 2026 is the plaintext-key time window. VoidStealer attaches to Chrome as a debugger to capture the master key during the brief interval it sits decrypted in browser memory — a timing attack on the legitimate decryption flow rather than a flaw in ABE's design.
Chronology
Dates are given as published. Items drawn only from the input chronology and not independently confirmed in this research are marked [UNVERIFIED].
| Date | Event | Significance | Source |
|---|---|---|---|
| 2024-07-30 | Google Security Blog: "Improving the security of Chrome cookies on Windows." ABE ships in Chrome 127 (stable rolled out ~July 23–30). | Baseline. Cookies migrate first; passwords/payments planned later. | [GOOGLE-BLOG] [REGISTER] |
| 2024-08 / 2024-09 | ChromeKatz updates byte patterns for Chrome ≥128.0.6613.114 / Edge ≥128. | Memory-scraping tooling tracks the new builds. | [CHROMEKATZ] |
| 2024-09 (mid) | Forum claims of ABE bypass appear: Meduza and WhiteSnake (~2 weeks prior to late Sept), Lumma (the prior week), Vidar and StealC (that week). WhiteSnake shown pulling cookies from Chrome 128. | First wave of (mostly unconfirmed) vendor claims. | [BLEEPING-INFOSTEALER] [BHEH] |
| ~2024-09-20 | Elastic observes new STEALC/VIDAR cookie-bypass code; g0njxa notes Vidar claim. | First researcher-observed code change, not just a claim. | [ELASTIC] [G0NJXA-VIDAR] |
| 2024-09-26 | XENOSTEALER commits a Chrome bypass (spawns Chrome, injects via SharpInjector, calls DecryptData). |
Open-source family adopts in-process COM call. | [ELASTIC] |
| 2024-09-27 | StealC bypass claim. | Forum claim. | [G0NJXA-STEALC] [UNVERIFIED] |
| 2024-09-30 | Meta Stealer bypass claim. | Forum claim. | [G0NJXA-META] [UNVERIFIED] |
| 2024-10-07 | xaitax publishes Chrome-App-Bound-Encryption-Decryption (initial commit per input). |
First widely-referenced public PoC; in-process COM call. | [XAITAX] [commit date UNVERIFIED] |
| 2024-10-15 | runassu publishes chrome_v20_decryption (initial commit per input). |
Documents the SYSTEM-DPAPI→user-DPAPI double-unwrap and v20 key blob layout. | [RUNASSU] [commit date UNVERIFIED] |
| ~2024-10-24 | BleepingComputer: infostealers bypass Chrome's new cookie defenses. | Mainstream coverage of in-the-wild bypasses. | [BLEEPING-INFOSTEALER] |
| 2024-10-28 | Elastic Security Labs: "Katz and Mouse Game." | The canonical technical breakdown: enumerates ChromeKatz integration, COM abuse, and remote debugging. | [ELASTIC] |
| 2024-10-28 | BleepingComputer covers the xaitax tool. | Public-tool coverage. | [BLEEPING-TOOL] [UNVERIFIED] |
| 2025-02 | SpyCloud catalogs families claiming bypass: Phemedrone, LummaC2, Meduza, Vidar, StealC, Rhadamanthys, WhiteSnake, Meta, Lumar. Notes use of Chrome's remote-management/remote-debugging API. | Consolidated family list; remote-debugging vector emphasized. | [SPYCLOUD] |
| 2025-03-17 | Google changes remote-debugging switches to require explicit user opt-in. | Partially closes the --remote-debugging-port vector. |
[XAITAX-RESEARCH] |
| 2025-05-30 | The Hacker News: EddieStealer (ClickFix delivery) uses ChromeKatz-style in-memory DLL injection to obtain the key. | Memory-scraping lineage continues into 2025. | [THN-EDDIE] |
| 2025-07-02 | VulnCheck assigns CVE-2025-34090, -34091, -34092 to ABE. | Research formalized as CVEs (status contested — see CVE section). | [CVE-34090] [CVE-34091-WIZ] [CVE-34092-WIZ] |
| 2025-07 | CyberArk: "C4 Bomb" — padding-oracle attack on ABE (CVE-2025-34091) and Chrome-spoofing (CVE-2025-34092). | First cryptographic (non-injection) low-priv attack. | [CYBERARK] |
| 2025-07 | Netlas: Hannibal Stealer cookie-theft technique writeup. | Family-specific reporting. | [NETLAS] [UNVERIFIED] |
| 2025-11 | Majanito ABE-Decryption — Python port of xaitax (per input). |
Lowers the bar to a scripting-language reimplementation. | [MAJANITO] [UNVERIFIED] |
| 2026 (see note) | Kaspersky: VoidStealer attaches as a debugger to capture the master key while it is briefly plaintext in Chrome memory. | New timing-window technique against the live decryption flow. | [KASPERSKY-VOID] |
| 2026-04-07 | Community YouTube explainer on ABE bypass. | Promotional/community content; marginal CTI value. | [YT-EXPLAIN] [low-value source] |
VoidStealer date discrepancy. The input chronology dates VoidStealer to 2026-03. The Kaspersky article located in this research does not show an in-text date I could confirm to the day, and aggregator metadata placed it in early May 2026. The event is confirmed; the exact date is not. Flagged rather than resolved.
Technique inventory
The bypasses cluster into seven distinct classes. They are not mutually exclusive — real samples and tools combine them (e.g., evasion wrapper + COM call).
1. In-process COM abuse (IElevator::DecryptData from inside the browser)
The reference technique. Because validation is path-based, an attacker injects a payload into a process already running from the browser's install directory (or launches one), then calls DecryptData from that address space so the path check passes. xaitax's PoC orchestrates exactly this; oma68s's tool injects a DLL via CreateRemoteThread/NtCreateThreadEx and invokes IElevator directly [XAITAX-RESEARCH] [OMA68S]. Elastic confirmed Metastealer using COM-over-same-folder access in the wild, attributed in part to research by @AzakaSekai_ [ELASTIC] [REDCANARY]. Privilege: user. Footprint: code injection into Chrome — noisy to EDR but no SYSTEM requirement.
2. COM/CLSID hijacking (force fallback to legacy DPAPI) — CVE-2025-34090
Rather than satisfy the path check, the attacker hijacks the COM CLSID registration the elevation service relies on. When validation fails in this manner, Chrome silently falls back to the legacy cookie-encryption path protected only by user-DPAPI, which any same-user process can unwrap. Documented by Devoteam and captured as CVE-2025-34090 (CWE-426 Untrusted Search Path / CWE-276) [DEVOTEAM] [CVE-34090-WIZ]. Privilege: user.
3. Chrome-spoofing via path canonicalization — CVE-2025-34092
A weaker variant of the path-validation defeat: name the malicious binary chrome.exe and place it in a path that the elevation service's inconsistent canonicalization accepts as the install directory, then request the key. CyberArk notes this was "not technically our discovery" but was assigned a CVE alongside their blog [CYBERARK] [CVE-34092-WIZ]. Privilege: low.
4. Remote debugging (--remote-debugging-port)
The malware spawns a Chromium instance with --remote-debugging-port= (commonly 9222), usually paired with --headless or an off-screen --window-position, then drives the DevTools protocol to read cookies in plaintext. Reported across Vidar, Lumma, and StealC [SPYCLOUD] [REDCANARY]. This vector is the most detectable (command-line telemetry; traffic to the debug port) and was partially mitigated by Google in March 2025 when remote-debugging switches were changed to require explicit opt-in [XAITAX-RESEARCH] [SPYCLOUD]. Privilege: user.
5. Process-memory scraping (ChromeKatz lineage)
This class never touches ABE's key. CookieKatz locates CookieMonster instances in chrome.dll by scanning the network-service process memory for the vtable pointer, then traverses the internal CookieMap binary tree (offset ~+0x30) to read CanonicalCookie structures whose values are already decrypted [CHROMEKATZ] [ELASTIC]. Elastic confirmed STEALC/VIDAR reimplemented ChromeKatz internally (CredentialKatz::FindDllPattern, CookieKatz::FindPattern), and Lumma uses obfuscated pattern scanning for the same structures [ELASTIC] [CYBERINSIDER]. EddieStealer adopted the in-memory injection approach in 2025 [THN-EDDIE]. ChromeKatz's companion ElevationKatz instead extracts the profile master key from the elevation service's memory without admin rights [CHROMEKATZ]. Privilege: user. Footprint: brittle (offset/pattern-dependent across Chrome versions) but low telemetry — it reads, doesn't decrypt.
6. Privileged DPAPI double-unwrap
With Administrator/SYSTEM, the app_bound_encrypted_key from Local State can be unwrapped directly: decrypt with SYSTEM DPAPI (via LSASS impersonation), then with user DPAPI, parse the [validation_data][app_bound_key] blob, and derive the AES-256 (or ChaCha20-Poly1305) key — the same first steps the legitimate IElevator::DecryptData performs internally [RUNASSU] [VIPERONE]. This is ABE working as designed: it is an explicit non-goal to stop a higher-privileged attacker [XAITAX-RESEARCH]. Implemented by runassu (PoC), Invoke-PowerChrome (PowerShell), and fantasywastaken (CNG + LSASS impersonation) [RUNASSU] [VIPERONE] [FANTASY]. Privilege: admin/SYSTEM.
7. Cryptographic / timing attacks
Two distinct sub-techniques, both avoiding injection:
-
Padding oracle (C4 Bomb, CVE-2025-34091). A low-privileged attacker submits malformed ciphertexts to the elevation service and distinguishes padding from MAC errors via Windows Event Log messages, partially decrypting the SYSTEM-DPAPI layer and recovering the user-DPAPI-encrypted key. Runtime ~16 hours; the technique generalizes to any SYSTEM-DPAPI blob. Microsoft was notified 2025-03-26 and declined a fix 2025-04-15 (low practical exploitability); Google shipped a partial, default-disabled mitigation around 2025-06-23 [CYBERARK] [CVE-34091-WIZ]. Privilege: low.
-
Plaintext-key time window (VoidStealer). The malware attaches to the Chrome process as a debugger and captures the master key during the brief interval it sits decrypted in memory during legitimate use [KASPERSKY-VOID]. Privilege: user (debug rights on own processes).
Evasion wrappers (orthogonal)
xaitax's tool layers evasion around technique #1: direct-syscall-based reflective process hollowing into a suspended host, a fileless ChaCha20-encrypted in-memory payload, and reflective DLL injection to avoid LoadLibrary. Per its README, it is a post-exploitation tool demonstrating a complete, in-memory bypass and the author states it is NOT intended to be a fully-featured infostealer [XAITAX]. These are detection-evasion choices, not new ABE bypasses.
CVE analysis
All three were published 2025-07-02, assigned by VulnCheck as a third-party CNA, and tied to CyberArk's C4 Bomb research (researcher Ari Novick). None was filed by Google.
| CVE | Technique | CVSS (per DB) | Status |
|---|---|---|---|
| CVE-2025-34090 | COM/CLSID hijack → silent fallback to legacy user-DPAPI. CWE-426 / CWE-276. | 9.3 (CVSS v4) | REJECTED by MITRE/NVD — "Neither filed by Chrome nor a valid security vulnerability." Databases (Wiz) still describe it. [CVE-34090] [CVE-34090-WIZ] |
| CVE-2025-34091 | Padding-oracle on SYSTEM-DPAPI layer via Event Log error feedback (C4 Bomb). ~16h. | 8.8 (CVSS v4) | Active in databases; underlying issue was declined by Microsoft (2025-04-15). [CVE-34091-WIZ] [CYBERARK] |
| CVE-2025-34092 | Chrome-spoofing via path-canonicalization weakness. | 9.3 (CVSS v4) | Active in databases. CyberArk notes it was not their discovery. [CVE-34092-WIZ] [CYBERARK] |
Assessment (separated from the facts above). The rejection of CVE-2025-34090 and the third-party-CNA provenance mean these identifiers should not be cited as Google-acknowledged Chrome vulnerabilities. They are useful as labels for the techniques but carry weak authority. The padding-oracle (34091) is the most technically novel of the three; the two path/COM issues (34090, 34092) restate behaviors that researchers and malware had already been exploiting since late 2024.
Tooling and PoC lineage
The public-tooling tree is shallow and well-attributed. ChromeKatz (Meckazin) predates ABE and pivoted to it, adding the /inject flag and the ElevationKatz sub-tool when Chromium encrypted in-memory cookies for elevation-service browsers [CHROMEKATZ]. runassu/chrome_v20_decryption documented the v20 key blob and the DPAPI double-unwrap; it is the upstream reference for several reimplementations, including Invoke-PowerChrome (PowerShell) and fantasywastaken (CNG/LSASS) [RUNASSU] [VIPERONE] [FANTASY]. xaitax/Chrome-App-Bound-Encryption-Decryption is the most-cited COM-injection PoC and ships extended research notes (RESEARCH.md) plus a companion COM analyzer (COMrade ABE) [XAITAX] [XAITAX-RESEARCH]; oma68s maintains a closely related user-mode tool [OMA68S]. The input chronology lists a Majanito Python port (Nov 2025) that this research did not independently verify [UNVERIFIED].
Elastic's analysis is explicit that in-the-wild families did not invent most of this: STEALC/VIDAR's bypass appears to have reimplemented ChromeKatz internally [ELASTIC]. The line between offensive-security PoC and production stealer is thin and frequently crossed.
Malware family adoption
Claims and confirmations differ. The table records what was claimed versus what a named researcher confirmed, and the technique only where it is documented. Empty technique cells mean the method was not publicly disclosed — not that it is known.
| Family | First claim/observation | Confirmed by researcher | Documented technique |
|---|---|---|---|
| Lumma / LummaC2 | Sept 2024 | Yes — g0njxa confirmed bypass on Chrome 129 | Pattern-based memory scanning of CookieMonster (ChromeKatz-style) [CYBERINSIDER] |
| Vidar | ~Sept 20 2024 | Yes — Elastic observed code; RussianPanda9xx tested | ChromeKatz reimplementation; remote debugging [ELASTIC] [SPYCLOUD] |
| StealC | ~Sept 27 2024 | Yes — Elastic | Injection + CookieMonster targeting; ChromeKatz reimplementation [CYBERINSIDER] [ELASTIC] |
| Meduza | ~mid-Sept 2024 | Partial — social-media reports | Possible COM-same-folder [REDCANARY] |
| WhiteSnake | ~mid-Sept 2024 | Observed pulling Chrome 128 cookies | Not disclosed [BLEEPING-INFOSTEALER] |
| Lumar (PovertyStealer) | Sept 2024 | Claim | Initial admin-only, then user-level (not disclosed) [BHEH] |
| Rhadamanthys | Sept 2024 | Claim (devs cited "10 minutes") | Not disclosed [BLEEPING-INFOSTEALER] |
| Meta / Metastealer | Sept 30 2024 | Yes — Elastic (in-the-wild COM) | In-process COM call via injection [ELASTIC] |
| Phemedrone | Listed by SpyCloud | No bypass analysis located | Not established — input notes a 2024-09 Phemedrone article with no proof of an ABE bypass [SPYCLOUD] [UNVERIFIED] |
| XENOSTEALER | Sept 26 2024 commit | Yes — Elastic (open-source) | Spawn Chrome + SharpInjector + DecryptData [ELASTIC] |
| EddieStealer | May 2025 | Yes — The Hacker News reporting | ChromeKatz-style in-memory DLL injection [THN-EDDIE] |
| Hannibal Stealer | July 2025 | Netlas writeup | Not verified here [NETLAS] [UNVERIFIED] |
| VoidStealer | 2026 (date contested) | Yes — Kaspersky | Debugger-attach to capture plaintext master key [KASPERSKY-VOID] |
Gaps and unverified items
Per the brief, these are recorded rather than filled:
- PoC initial-commit dates (xaitax 2024-10-07; runassu 2024-10-15) come from the input and were not independently confirmed against GitHub commit history in this research.
- Majanito ABE-Decryption (Nov 2025) Python port was not located/verified.
- VoidStealer date — event confirmed, exact date not (input says 2026-03; aggregator metadata suggested early May 2026).
- Phemedrone appears in SpyCloud's family list, but no analysis demonstrating an actual ABE bypass was located; the cited 2024-09 Phemedrone article is not bypass evidence.
- Hannibal Stealer (Netlas, 2025-07) and the BleepingComputer xaitax-tool article (2024-10-28) were not opened in this research; cited from the input.
- Repository metrics (stars/forks/commits/last-release) were not collected for any tool and are not reported.
- Per-family techniques are blank where the method was never publicly disclosed; absence in the table is not a claim of "unknown method exists."
If any of these matter for your use, point me at the specific item and I will verify it directly.
Appendix — Glossary
App-Bound Encryption (ABE). Chrome's Windows protection (from v127, July 2024) that wraps the per-profile cookie/credential key with a SYSTEM-context elevation service, binding decryption to the app's identity. Successor layer over DPAPI; first applied to cookies, with passwords and payment data planned later [GOOGLE-BLOG].
DPAPI (Data Protection API). Windows facility that encrypts data with a key derived from the user's logon credentials. Protects against other users and offline theft, but not against same-user processes — the gap infostealers exploited and ABE was built to close [GOOGLE-BLOG] [ELASTIC].
IElevator / elevation service. The privileged COM server exposing EncryptData/DecryptData. It gates access to the unwrapped key and, in the initial ABE rollout, validates callers by executable path [DEVOTEAM] [XAITAX-RESEARCH].
v20 / APPB. Markers of ABE data: SQLite values encrypted under ABE are prefixed v20; the wrapped key in Local State is Base64 with an APPB prefix [RUNASSU] [OMA68S].
CookieMonster. Chromium's in-memory cookie manager. Memory-scraping tools locate its instances via the vtable pointer in chrome.dll and read the CookieMap tree, where cookie values are already plaintext [CHROMEKATZ] [ELASTIC].
ChromeKatz / CookieKatz / ElevationKatz. Offensive tooling (Meckazin) that dumps cookies/credentials from Chromium process memory and, via ElevationKatz, extracts the master key from the elevation service's memory without admin rights [CHROMEKATZ].
Remote debugging vector. Driving a Chromium instance through the DevTools protocol (--remote-debugging-port=) to read plaintext cookies. Detectable via command line and port traffic; partially mitigated by Google in March 2025 [SPYCLOUD] [XAITAX-RESEARCH].
COM/CLSID hijacking. Replacing the COM class registration the elevation service depends on so that validation fails and Chrome silently reverts to legacy user-DPAPI encryption, which any same-user process can unwrap (CVE-2025-34090) [DEVOTEAM] [CVE-34090-WIZ].
Padding oracle (C4 Bomb). A chosen-ciphertext attack distinguishing padding from MAC errors through Windows Event Log feedback to decrypt the SYSTEM-DPAPI layer and recover the key as a low-privileged user (CVE-2025-34091); ~16h runtime, generalizes to any SYSTEM-DPAPI blob [CYBERARK] [CVE-34091-WIZ].
Reflective process hollowing / RDI. Evasion techniques: launching a suspended host process and injecting before normal execution, and mapping a payload PE from memory to avoid LoadLibrary. Used by xaitax to wrap the in-process COM call; orthogonal to ABE itself [XAITAX].
Event ID 257. Windows Application-log event emitted by Chrome when an ABE decryption-validation check fails — a defender signal for spoofing/hijacking attempts [GOOGLE-BLOG] [DEVOTEAM].
Appendix — Reference index
| ID | Source | URL |
|---|---|---|
| [GOOGLE-BLOG] | Google Online Security Blog — "Improving the security of Chrome cookies on Windows" (Jul 30, 2024) | https://security.googleblog.com/2024/07/improving-security-of-chrome-cookies-on.html |
| [REGISTER] | The Register — "Chrome adopts app-bound encryption to combat cookie theft" (Jul 31, 2024) | https://www.theregister.com/2024/07/31/chrome_appbound_encryption/ |
| [ELASTIC] | Elastic Security Labs — "Katz and Mouse Game: MaaS Infostealers Adapt to Patched Chrome Defenses" (Oct 28, 2024) | https://www.elastic.co/security-labs/katz-and-mouse-game |
| [BLEEPING-INFOSTEALER] | BleepingComputer — "Infostealer malware bypasses Chrome's new cookie-theft defenses" | https://www.bleepingcomputer.com/news/security/infostealer-malware-bypasses-chromes-new-cookie-theft-defenses/ |
| [BLEEPING-TOOL] | BleepingComputer — "New tool bypasses Google Chrome's new cookie encryption system" | https://www.bleepingcomputer.com/news/security/new-tool-bypasses-google-chromes-new-cookie-encryption-system/ |
| [BHEH] | CyberSecureFox — infostealers adapt to bypass ABE | https://cybersecurefox.com/en/cybersecurity-alert-infostealers-quickly-adapt-to-bypass-chrome-s-new-app-bound-encryption/ |
| [CYBERINSIDER] | CyberInsider — "This Is How Infostealers Bypass Chrome's Latest Cookie Security" | https://cyberinsider.com/this-is-how-infostealers-bypass-chromes-latest-cookie-security/ |
| [REDCANARY] | Red Canary — "Stealers evolve to bypass Google Chrome's new app-bound encryption" | https://redcanary.com/blog/threat-intelligence/google-chrome-app-bound-encryption/ |
| [SPYCLOUD] | SpyCloud — "How Infostealer Malware Bypasses Chrome's App-Bound Encryption" | https://spycloud.com/blog/infostealers-bypass-new-chrome-security-feature/ |
| [DEVOTEAM] | Devoteam — "Bypassing app-bound encryption implemented by Google Chrome" | https://www.devoteam.com/expert-view/contournement-du-chiffrement-app-bound-sur-google-chrome-sans-droits-administrateurs/ |
| [XAITAX] | GitHub — xaitax/Chrome-App-Bound-Encryption-Decryption | https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption |
| [XAITAX-RESEARCH] | xaitax — RESEARCH.md (technical deep dive) | https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption/blob/main/docs/RESEARCH.md |
| [RUNASSU] | GitHub — runassu/chrome_v20_decryption | https://github.com/runassu/chrome_v20_decryption |
| [OMA68S] | GitHub — oma68s/chrome-app-bound-encryption-decryption | https://github.com/oma68s/chrome-app-bound-encryption-decryption |
| [VIPERONE] | GitHub — The-Viper-One/Invoke-PowerChrome | https://github.com/The-Viper-One/Invoke-PowerChrome |
| [FANTASY] | GitHub — fantasywastaken/Chrome-App-Bound-Decryption | https://github.com/fantasywastaken/Chrome-App-Bound-Decryption |
| [CHROMEKATZ] | GitHub — Meckazin/ChromeKatz | https://github.com/Meckazin/ChromeKatz |
| [MAJANITO] | GitHub — Majanito/ABE-Decryption (input-provided, unverified) | https://github.com/Majanito/ABE-Decryption |
| [THN-EDDIE] | The Hacker News — "EddieStealer Malware Uses ClickFix..." (May 30, 2025) | https://thehackernews.com/2025/05/eddiestealer-malware-uses-clickfix.html |
| [CYBERARK] | CyberArk — "C4 Bomb: Blowing Up Chrome's AppBound Cookie Encryption" | https://www.cyberark.com/resources/threat-research-blog/c4-bomb-blowing-up-chromes-appbound-cookie-encryption |
| [CVE-34090] | Tenable — CVE-2025-34090 (shows REJECTED) | https://www.tenable.com/cve/CVE-2025-34090 |
| [CVE-34090-WIZ] | Wiz — CVE-2025-34090 | https://www.wiz.io/vulnerability-database/cve/cve-2025-34090 |
| [CVE-34091-WIZ] | Wiz — CVE-2025-34091 | https://www.wiz.io/vulnerability-database/cve/cve-2025-34091 |
| [CVE-34092-WIZ] | Wiz — CVE-2025-34092 | https://www.wiz.io/vulnerability-database/cve/cve-2025-34092 |
| [KASPERSKY-VOID] | Kaspersky — "How VoidStealer bypasses Chrome's protections" | https://www.kaspersky.com/blog/chrome-application-bound-encryption-bypass-voidstealer/55735/ |
| [NETLAS] | Netlas — "Hannibal Stealer, part 1" (input-provided, unverified) | https://netlas.io/blog/hannibal_stealer_part_1/ |
| [DETECTION-CHOKE] | Detection Chokepoints — Infostealer Browser Credential Theft | https://iimp0ster.github.io/detection-chokepoints/chokepoints/browser-credential-theft/ |
| [G0NJXA-VIDAR] | g0njxa — Vidar bypass claim (X) | https://x.com/g0njxa/status/1837093565664539095 |
| [G0NJXA-STEALC] | g0njxa — StealC bypass claim (X) | https://x.com/g0njxa/status/1838221053480325407 |
| [G0NJXA-META] | g0njxa — Meta Stealer bypass claim (X) | https://x.com/g0njxa/status/1840761619686568319 |
| [YT-EXPLAIN] | YouTube — community ABE bypass explainer (low-value) | https://www.youtube.com/watch?v=fHwqvZjvXy8 |