Vidar Infostealer Bypasses Google Chrome App-Bound Encryption

In the high-stakes cybersecurity landscape of 2026, the cat-and-mouse game between browser vendors and malware developers has reached a critical boiling point. For years, information stealers targeted browser credentials and active session cookies as their primary monetization vector, leveraging file-system harvests of DPAPI-encrypted local stores. In response, Google introduced Application-Bound Encryption (ABE) to strictly isolate browser secrets. However, recent security research confirms that this defense-in-depth boundary is no longer impenetrable. Security researchers at Gen Threat Labs have documented a highly sophisticated evasion technique utilized by the Vidar Infostealer that successfully circumvents these mitigations through complex, real-time memory exploitation.

The Evolution of the Vidar Infostealer and the Chrome Memory Raid

The Vidar Infostealer has long been recognized as a highly adaptable threat in the malware-as-a-service (MaaS) ecosystem. Historically, Vidar and its derivatives relied on querying localized SQLite databases containing cookie jars and login credentials, decrypting them via standard Windows API calls. This operational model was heavily disrupted when Google Chrome introduced Application-Bound Encryption in version 127 in July 2024. This change forced malware operators to adapt, and their latest iteration represents a