New Glove infostealer malware bypasses Chrome’s cookie encryption

Teilen:

New Glove Stealer malware can bypass Google Chrome’s Application-Bound (App-Bound) encryption to steal browser cookies.

As Gen Digital security researchers who first spotted it while investigating a recent phishing campaign said, this information-stealing malware is “relatively simple and contains minimal obfuscation or protection mechanisms,” indicating that it’s very likely in its early development stages.

During their attacks, the threat actors used social engineering tactics similar to those used in the ClickFix infection chain, where potential victims get tricked into installing malware using fake error windows displayed within HTML files attached to the phishing emails.

ClickFix attachment sample
ClickFix HTML attachment sample (Gen Digital)

The Glove Stealer .NET malware can extract and exfiltrate cookies from Firefox and Chromium-based browsers (e.g., Chrome, Edge, Brave, Yandex, Opera).

It’s also capable of stealing cryptocurrency wallets from browser extensions, 2FA session tokens from Google, Microsoft, Aegis, and LastPass authenticator apps, password data from Bitwarden, LastPass, and KeePass, as well as emails from mail clients like Thunderbird.

“Other than stealing private data from browsers, it also tries to exfiltrate sensitive information from a list of 280 browser extensions and more than 80 locally installed applications,” said malware researcher Jan Rubín.

“These extensions and applications typically involve cryptocurrency wallets, 2FA authenticators, password managers, email clients and others.”

​Basic App-Bound encryption bypass capabilities

To steal credentials from Chromium web browsers, Glove Stealer bypasses Google’s App-Bound encryption cookie-theft defenses, which were introduced by Chrome 127 in July.

To do that, it follows the method described by security researcher Alexander Hagenah last month, using a supporting module that uses Chrome’s own COM-based IElevator Windows service (running with SYSTEM privileges) to decrypt and retrieve App-Bound encrypted keys.

It’s important to note that the malware first needs to get local admin privileges on the compromised systems to place this module in Google Chrome’s Program Files directory and use it to retrieve encrypted keys.

However, although impressive on paper, this still points to Glove Stealer being in early development since it’s a basic method that most other info stealers have already surpassed to steal cookies from all Google Chrome versions, as researcher g0njxa told BleepingComputer in October.

Malware analyst Russian Panda previously said to BleepingComputer that Hagenah’s method looks similar to early bypass approaches other malware took after Google first implemented Chrome App-Bound encryption.

Multiple infostealer malware operations are now capable of bypassing the new security feature to allow their “customers” to steal and decrypt Google Chrome cookies.

“This code [xaitax’s] requires admin privileges, which shows that we’ve successfully elevated the amount of access required to successfully pull off this type of attack,” Google told BleepingComputer last month.

Unfortunately, even though admin privileges are required to bypass App-Bound encryption, this has yet to put a noticeable dent in the number of ongoing information-stealing malware campaigns.

Attacks have only increased since July when Google first implemented App-Bound encryption, targeting potential victims via vulnerable drivers, zero-day vulnerabilities, malvertising, spearphishing, StackOverflow answers, and fake fixes to GitHub issues.

Sergiu Gatlan

Kommentar verfassen

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert

lade-bild
London, GB
12:44 pm, Juli 11, 2025
Wetter-Symbol 29°C
L: 28° | H: 31°
wenige Wolken
Luftfeuchtigkeit: 42 %
Druck: 1020 mb
Wind: 7 mph E
Windböe: 0 mph
UV-Index: 0
Niederschlag: 0 mm
Wolken: 13%
Regen Chance: 0%
Sichtbarkeit: 10 km
Sonnenaufgang: 4:56 am
Sonnenuntergang: 9:15 pm
TäglichStündlich
Tägliche VorhersageStündliche Vorhersage
Today 10:00 pm
Wetter-Symbol
28° | 31°°C 0 mm 0% 8 mph 47 % 1020 mb 0 mm/h
Tomorrow 10:00 pm
Wetter-Symbol
18° | 30°°C 0 mm 0% 9 mph 65 % 1018 mb 0 mm/h
So. Juli 13 10:00 pm
Wetter-Symbol
17° | 27°°C 0 mm 0% 7 mph 73 % 1014 mb 0 mm/h
Mo. Juli 14 10:00 pm
Wetter-Symbol
20° | 29°°C 0 mm 0% 14 mph 71 % 1017 mb 0 mm/h
Di. Juli 15 10:00 pm
Wetter-Symbol
15° | 27°°C 0 mm 0% 13 mph 71 % 1021 mb 0 mm/h
Today 1:00 pm
Wetter-Symbol
29° | 30°°C 0 mm 0% 3 mph 43 % 1020 mb 0 mm/h
Today 4:00 pm
Wetter-Symbol
30° | 31°°C 0 mm 0% 5 mph 38 % 1019 mb 0 mm/h
Today 7:00 pm
Wetter-Symbol
28° | 28°°C 0 mm 0% 5 mph 33 % 1018 mb 0 mm/h
Today 10:00 pm
Wetter-Symbol
22° | 22°°C 0 mm 0% 8 mph 47 % 1019 mb 0 mm/h
Tomorrow 1:00 am
Wetter-Symbol
18° | 18°°C 0 mm 0% 4 mph 55 % 1018 mb 0 mm/h
Tomorrow 4:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 4 mph 65 % 1018 mb 0 mm/h
Tomorrow 7:00 am
Wetter-Symbol
19° | 19°°C 0 mm 0% 6 mph 64 % 1018 mb 0 mm/h
Tomorrow 10:00 am
Wetter-Symbol
24° | 24°°C 0 mm 0% 6 mph 45 % 1017 mb 0 mm/h
Name Preis24H (%)
Bitcoin(BTC)
€100,657.92
6.01%
Ethereum(ETH)
€2,552.67
7.53%
Fesseln(USDT)
€0.85
0.00%
XRP(XRP)
€2.25
7.01%
Solana(SOL)
€140.22
4.11%
USDC(USDC)
€0.85
0.00%
Dogecoin(DOGE)
€0.170078
10.09%
Shiba Inu(SHIB)
€0.000011
7.63%
Pepe(PEPE)
€0.000011
14.51%
Peanut das Eichhörnchen(PNUT)
€0.248273
19.26%
Nach oben scrollen