my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Two Tools Published This Week Just Broke Chrome's Encryption and Bypassed Your MFA

John Z Black Mar 23, 2026 Threat Intelligence #voidstealer #astaroth #chrome #mfa #credential-theft #phishing #fido2 #passkeys

Two separate research disclosures this week. Unrelated to each other. Together they say your security posture may already be wrong.

VoidStealer vs. Chrome

Google added Application-Bound Encryption to Chrome 127 to keep malware from swiping your stored credentials. Real improvement. VoidStealer bypassed it in months.

The technique: attach to Chrome via its own remote debugging protocol (the same thing developers use to inspect pages) and extract the master key. No kernel access required. No sophisticated privilege escalation. Works against a fully updated browser. Passwords, session cookies, credit card data – all accessible once you’re in.

The lesson isn’t that Chrome is broken. It’s that “the browser’s credential store is safe now” has never been a permanent statement. If an attacker gets code execution on a machine, stored credentials are gone. That’s the model. Endpoint protection matters more than trusting the credential store to hold.

Astaroth vs. MFA

Astaroth is a phishing-as-a-service kit that acts as a real-time man-in-the-middle between the target and a legitimate website. The user goes to a convincing fake page, enters credentials, submits an MFA code. Astaroth relays everything to the real site instantly. The session cookie comes back to the attacker. The user thinks the login succeeded. It did – for the wrong person.

What it defeats: SMS one-time passwords, TOTP apps (Google Authenticator, Authy), and push notification MFA like Duo’s default prompt. All three. In real time.

This isn’t new conceptually. Evilginx has done this for years. What’s new is the commoditization. You don’t need to be a sophisticated attacker. You need a crime forum account and a budget.

What Actually Works

FIDO2/WebAuthn. Hardware security keys and passkeys. The authentication includes the origin of the request in the cryptographic proof, so a MITM proxy can’t fake it. The key refuses to authenticate to anything other than the real site.

That’s the action item. Move privileged and critical accounts away from TOTP and push MFA, toward FIDO2. The threat actors selling Astaroth already know which methods they can beat. The question is whether your security posture has caught up.

See the full technical breakdown of both attacks and what your security team should do now