Introduction

Recently, All of my gaming accounts were hacked, which was very strange considering I have 2 factor authentication enabled on all accounts and a unique and complex password for each account. This led me into investigating what had happened that had lead to a security compromise which took over all of my accounts.

Crosshair X

Back-tracking my steps, made me realise that I had downloaded a version of a popular crosshair app from github the night before, called Crosshair X which surprisingly didn’t seem to work…

Then, I realised that this was an information stealer that steals all sensitive information from a victims PC such as discord tokens, saved autofill passwords, autofilled credit/debit cards from chromium based browsers as well as cookies. Another feature is that they can also steal crypto wallets, passwords saved in password managers and so on… There are many different variants of these stealers such as RedLine, Raccoon, and Lummastealer. These infostealers work through a panel to build the payload using custom icons for the executable, custom delivery methods for when a new victim has been captured and the ability to self destruct the malware based on various factors such as whitelisted IP’s and regions. (Hackers have a distorted moral compass)

Chromium based browers and the password encryption

These browsers store sensitive user data in a local SQlite database on the user machine, then this is encrypted using windows DPAPI (Data protection API) which ties the decryption key to the logged in user on windows. This database is stored the following location

C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\

Then I found out that the source code for some of these stealers has been actually leaked online and decided to take a more in depth look

Chrome App-Bound Encryption (ABE)

Starting with Chrome 127, Google introduced a security enhancement called App-Bound Encryption (ABE) to make it significantly harder for malware or unauthorized tools to decrypt locally stored sensitive data

Before ABE, malware could directly use Windows DPAPI to decrypt saved data (as explained earlier), since everything was encrypted using the current user account’s context.

With ABE, Chromium-based browsers now do the following: Generate a AES-256-GCM key per browser profile, then encrypt that key using DPAPI and store the wrapped key, making it harder to crack.

The actual decryption of cookies/passwords now requires access to this key through Chrome’s internal IElevator COM interface, and only if the request is made from an executable located inside Chrome’s install directory.

Cracking App-Bound Encryption.

Researchers and malware developers have already found ways to bypass this limitation by using a technique called Reflective DLL Injection (RDI). By directly injecting a DLL into the browser’s memory, the IElevator is tricked into thinking that the request is being made directly from Chrome. this then allows the malware to unwrap the key, decrypt cookies, passwords and payment information, all without elevating user permissions without the user ever knowing whats happening.

Delivering the stolen data to the attacker.

Once the infostealer has collected all of the juicy data, it needs to send it somewhere (exfiltration) traditional malware uses a C2 server (command and control) to send the data to the attacker. This is insecure as servers being rented or owned by an attacker often leaves breadcrumbs (such as payment methods etc…) and are complex to set up. instead, newer malware uses Telegram as a C2 Server by using webhooks and a telegram bot to send the data to a channel securely and also gain real time notifications when a new victim’s data has been obtained

Conclusion

This experience has been a stark reminder of how sophisticated and deceptive modern malware has become — especially when it’s disguised as legitimate software on trusted platforms like GitHub. Even with strong security practices like two-factor authentication and complex, unique passwords, a single lapse in software trust can compromise your entire digital identity.

Through this investigation, I’ve learned just how advanced information stealers are today — using techniques like Reflective DLL Injection to bypass encryption safeguards, and leveraging Telegram as a stealthy command-and-control server to avoid detection and attribution. The rise of App-Bound Encryption in Chromium-based browsers is a much-needed step forward, but attackers continue to evolve just as fast.