How to remove VoidStealer from infected systems

What kind of malware is VoidStealer?

VoidStealer is a type of malware that steals sensitive data from browsers. It uses a technique, a debugger-based method to bypass browser protection (Application-Bound Encryption) by monitoring memory while the browser is running. This allows it to capture encryption keys without needing special permissions or injecting code. Because of this, it is harder for security tools to detect.

Introduction

Application-Bound Encryption (ABE) is a security mechanism that encrypts sensitive data (such as saved passwords) so that only the browser can access it. This security feature was added to Google Chrome in 2024. VoidStealer is the first known malware-as-a-service (MaaS) infostealer observed using an ABE-bypass method.

VoidStealer has multiple versions, and this bypass technique was added in version 2.0 of the malware. The stealer uses two different methods to bypass browser protection in case one does not work. The first method is well known and involves injecting into the browser process, but this can be easily detected by security tools.

The second method is newer and more hidden, as it only reads the browser's memory and attaches as a debugger. This makes it less noticeable and harder to detect. In Google Chrome, saved passwords and other sensitive information are encrypted and stored in a local database. This data is kept in a SQLite database file on the system, typically located in the AppData folder.

Generally, passwords are protected so that only the browser (and authorized processes) can read them. Application-Bound Encryption (ABE) protects a secret key using the highest system privileges on Windows. Chrome itself runs as a normal user, so it cannot access this key directly.

To solve this, Chrome uses a special background service that runs with higher privileges to safely unlock the key when needed. When Chrome requests it, the service checks the request and then returns the decrypted key. Chrome then uses this key to encrypt and decrypt sensitive data like passwords and cookies.

Information stealers could bypass the protection by running with full privileges, but that only works in some cases. They can also inject into Chrome to request the key, but that is easier for security tools to detect. Chrome protects the key by keeping it in memory only briefly and encrypting it.

VoidStealer takes advantage of that short moment by checking the browser's memory using a debugger and capturing the key without needing high privileges or code injection.

How the technique works

VoidStealer targets browsers like Google Chrome and Microsoft Edge. It starts a hidden browser process and attaches itself as a debugger. This is done because during startup, the browser loads and decrypts protected data like cookies. At that moment, the secret key is shortly available in memory, making it the right time for the malware to capture it.

VoidStealer sets breakpoints and monitors the process until it reaches that exact moment, then extracts the key directly from memory. With this key, it can decrypt and access sensitive data like saved passwords and cookies. Cybercrimimals can misuse this information for various malicious purposes.

They may use it to access accounts (e.g., social media or banking accounts), steal personal data, or commit fraud. They can also use hijacked accounts to sprad malware and scams. In some cases, they sell the stolen data to others on the dark web.

Conclusion

VoidStealer is a type of malware designed to steal sensitive information from browsers. It uses advanced techniques to bypass security protections and access stored data, such as passwords and cookies. This makes it a serious threat because it can operate in a stealthy way and avoid detection.

Some examples of other stealers are BoryptGrab, MaskGramStealer, and Xillen.

How did VoidStealer infiltrate my computer?

Cybercriminals often take advantage of security flaws in outdated software or spread malware through pirated programs, unofficial activation tools, and key generators. Other common methods include tech support scams, deceptive emails or messages that contain harmful links or attachments, and malicious ads.

Malware may also be distributed through infected USB drives, fake or compromised websites, peer-to-peer (P2P) file-sharing networks, and third-party download tools. Attackers typically hide it inside files such as executables, compressed archives, scripts, or documents like PDFs and Office files, which can infect systems once opened or additional steps are taken.

How to avoid installation of malware?

Keep your operating system and all installed programs up to date and download software and files from official websites or reputable app stores. Avoid interacting with suspicious ads, pop-ups, or unfamiliar links, especially on unreliable websites, and do not allow notifications from questionable pages.

Be wary of unexpected emails or messages from unknown senders—do not open attachments or click links unless you are certain they are safe. Use trusted security tools to perform regular scans and detect potential threats.

If you believe that your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for Windows to automatically eliminate infiltrated malware.

VoidStealer promoted on a hacker forum (source: gendigital.com):

Instant automatic malware removal:

Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of malware. Download it by clicking the button below:

By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. 7 days free trial available. Combo Cleaner is owned and operated by RCS LT, the parent company of PCRisk.com.

Quick menu:

• What is VoidStealer?
• STEP 1. Manual removal of VoidStealer malware.
• STEP 2. Check if your computer is clean.

How to remove malware manually?

Manual malware removal is a complicated task - usually it is best to allow antivirus or anti-malware programs to do this automatically. To remove this malware we recommend using Combo Cleaner Antivirus for Windows.

If you wish to remove malware manually, the first step is to identify the name of the malware that you are trying to remove. Here is an example of a suspicious program running on a user's computer:

If you checked the list of programs running on your computer, for example, using task manager, and identified a program that looks suspicious, you should continue with these steps:

Download a program called Autoruns. This program shows auto-start applications, Registry, and file system locations:

Restart your computer into Safe Mode:

Windows XP and Windows 7 users: Start your computer in Safe Mode. Click Start, click Shut Down, click Restart, click OK. During your computer start process, press the F8 key on your keyboard multiple times until you see the Windows Advanced Option menu, and then select Safe Mode with Networking from the list.

Video showing how to start Windows 7 in "Safe Mode with Networking":

Windows 8 users: Start Windows 8 is Safe Mode with Networking - Go to Windows 8 Start Screen, type Advanced, in the search results select Settings. Click Advanced startup options, in the opened "General PC Settings" window, select Advanced startup.

Click the "Restart now" button. Your computer will now restart into the "Advanced Startup options menu". Click the "Troubleshoot" button, and then click the "Advanced options" button. In the advanced option screen, click "Startup settings".

Click the "Restart" button. Your PC will restart into the Startup Settings screen. Press F5 to boot in Safe Mode with Networking.

Video showing how to start Windows 8 in "Safe Mode with Networking":

Windows 10 users: Click the Windows logo and select the Power icon. In the opened menu click "Restart" while holding "Shift" button on your keyboard. In the "choose an option" window click on the "Troubleshoot", next select "Advanced options".

In the advanced options menu select "Startup Settings" and click on the "Restart" button. In the following window you should click the "F5" button on your keyboard. This will restart your operating system in safe mode with networking.

Video showing how to start Windows 10 in "Safe Mode with Networking":

Extract the downloaded archive and run the Autoruns.exe file.

In the Autoruns application, click "Options" at the top and uncheck "Hide Empty Locations" and "Hide Windows Entries" options. After this procedure, click the "Refresh" icon.

Check the list provided by the Autoruns application and locate the malware file that you want to eliminate.

You should write down its full path and name. Note that some malware hides process names under legitimate Windows process names. At this stage, it is very important to avoid removing system files. After you locate the suspicious program you wish to remove, right click your mouse over its name and choose "Delete".

After removing the malware through the Autoruns application (this ensures that the malware will not run automatically on the next system startup), you should search for the malware name on your computer. Be sure to enable hidden files and folders before proceeding. If you find the filename of the malware, be sure to remove it.

Reboot your computer in normal mode. Following these steps should remove any malware from your computer. Note that manual threat removal requires advanced computer skills. If you do not have these skills, leave malware removal to antivirus and anti-malware programs.

These steps might not work with advanced malware infections. As always it is best to prevent infection than try to remove malware later. To keep your computer safe, install the latest operating system updates and use antivirus software. To be sure your computer is free of malware infections, we recommend scanning it with Combo Cleaner Antivirus for Windows.

Frequently Asked Questions (FAQ)

My device is infected with VoidStealer malware, should I format my storage device to get rid of it?

Resetting or wiping a device is an effective way to remove malware. However, it also deletes all data if it is not backed up. It is recommended to first try removing VoidStealer using a security tool like Combo Cleaner.

What are the biggest issues that malware can cause?

Malware can lead to various problems, such as financial loss or identity theft, as well as the theft of personal data. It can also take control of a device and damage or delete important files.

What is the purpose of VoidStealer?

The purpose of VoidStealer is to steal sensitive information from a user's computer, especially from web browsers. It is designed to extract things like saved passwords, cookies, and login data so attackers can access accounts or take other malicious actions.

How did VoidStealer infiltrate my device?

Cybercriminals spread malware by exploiting outdated software and using pirated programs, fake activation tools, and key generators. They also use phishing emails, malicious ads, and tech support scams. Additionally, malware can come from infected USB drives, fake websites, P2P networks, and third-party download tools, and is often hidden inside files like executables, archives, scripts, or documents.

Will Combo Cleaner protect me from malware?

Yes, Combo Cleaner can detect and remove most known malware. However, some advanced threats can hide deeply in the system. That is why running a full system scan is important to make sure everything is found and removed.