Threats Tagged 'voidstealer'

Gen Threat Labs has identified Remus, a new 64-bit infostealer attributed to the Lumma Stealer family, emerging after Lumma's takedown and the doxxing of its alleged core members. First campaigns date back to February 2026, with the malware switching from Steam/Telegram dead drop resolvers to EtherHiding and employing new anti-analysis checks. Remus shares multiple characteristics with Lumma including identical string obfuscation techniques, AntiVM checks, direct syscall/sysenter handling, indirect control flow obfuscation, and a unique Application-Bound Encryption bypass. The analysis details test builds labeled Tenzor from September 2025, representing a transitional step between Lumma and Remus. While maintaining Lumma's stealing arsenal for browser passwords, cookies, and cryptocurrency, Remus introduces blockchain-based C2 resolution via EtherHiding, additional anti-sandbox checks targeting analysis tool DLLs, and enhanced device fingerprinting capabilities.

VoidStealer is an emerging infostealer that employs a novel debugger-based Application-Bound Encryption (ABE) bypass technique. This method leverages hardware breakpoints to extract the v20_master_key directly from browser memory, requiring neither privilege escalation nor code injection. The technique involves attaching to the browser process as a debugger, setting breakpoints at strategic locations, and extracting the key when it's briefly present in plaintext. This approach offers a lower detection footprint compared to alternative bypass methods. The blog post dissects the technique step-by-step, from locating the target address for breakpoint placement to extracting the key. It also provides detection strategies for defenders, focusing on monitoring debugger attachments and suspicious browser memory reads.

MediumMalwareUnited StatesUnited KingdomGermany+7#abe bypass#memory analysis#edge