New Glove Infostealer Malware Bypasses Chrome’s Cookie Encryption: A Growing Threat

A new Glove Stealer malware is currently bypassing Google Chrome’s App-Bound encryption, which was designed to protect sensitive browser cookies from being stolen. This security bypass is a major concern for millions of users, as the malware is capable of exfiltrating cookies, 2FA session tokens, and even passwords from popular applications like Google, Microsoft, LastPass, Bitwarden, and KeePass. With a significant number of browsers and extensions targeted, the Glove Stealer poses an even greater risk to cybersecurity.

Glove Stealer is an infostealer malware that targets both Firefox and Chromium-based browsers such as Google Chrome, Edge, Brave, Yandex, and Opera. Once installed on the victim’s machine, it can steal a wide range of sensitive data, including:

Cookies for browser sessions2FA tokens from apps like Google Authenticator, Microsoft Authenticator, and AegisPasswords stored in password managers like Bitwarden, KeePass, and LastPassEmails from clients like ThunderbirdCryptocurrency wallet data from browser extensions

The malware not only steals sensitive data from browsers but also targets over 280 browser extensions and 80 locally installed applications, including those that manage cryptocurrency wallets, 2FA authenticators, password managers, and email clients.

One of the most concerning aspects of Glove Stealer is its ability to bypass Google Chrome’s App-Bound encryption (introduced in Chrome 127) for cookies. This encryption was supposed to make it much harder for attackers to steal cookies by adding an additional layer of protection. However, Glove Stealer has managed to defeat this protection by using a technique described by security researcher Alexander Hagenah.

To bypass this encryption, the malware leverages Chrome’s COM-based IElevator Windows service. This service, which runs with SYSTEM privileges, decrypts, and retrieves App-Bound encrypted keys. However, to make this work, the attacker needs local admin privileges on the compromised system, allowing the malware to place a supporting module in Google Chrome’s Program Files directory and retrieve encrypted keys.

Although this method seems sophisticated, it’s still basic compared to other malware techniques. This shows that Glove Stealer is likely still in the early stages of development, but the ability to bypass Chrome’s App-Bound encryption is nonetheless a concerning breakthrough. Many other infostealer malware families have already surpassed this technique to steal cookies from Chrome’s encrypted environment.

While Glove Stealer is still in its development stages, the growing prevalence of similar malware campaigns is alarming. Since Google introduced App-Bound encryption in July 2024, attackers have been quick to adapt. These campaigns now target potential victims via various attack vectors, including:

Vulnerable drivers and zero-day vulnerabilitiesMalvertising (malicious online advertisements)Spearphishing emailsFake fixes for GitHub issuesStackOverflow answers containing malicious code

Researchers and malware analysts have noted that these infostealers are becoming increasingly effective at bypassing modern security mechanisms like App-Bound encryption. The fact that these campaigns are still successful despite Google’s efforts demonstrates the growing sophistication of cybercriminals and their ability to stay one step ahead.

While Glove Stealer and similar malware pose significant risks, there are steps you can take to protect your personal and business data:

Keep Software Updated: Ensure that Google Chrome and other browsers, as well as all installed applications, are up-to-date with the latest security patches.Use Strong Passwords: Avoid reusing passwords across accounts. Use complex passwords and enable two-factor authentication (2FA) wherever possible.Run Security Audits: Perform regular penetration testing on your systems to identify and patch vulnerabilities before cybercriminals exploit them.Avoid Suspicious Links and Attachments: Be cautious when opening email attachments or clicking on links, especially those from unfamiliar senders.Monitor Extensions: Regularly review the extensions installed on your browser, especially those related to cryptocurrency wallets and password managers.

In the case of businesses, Wire Tor Pentest Services can help conduct comprehensive security audits to ensure that your organization’s systems are not vulnerable to attacks like Glove Stealer. With expert penetration testing and vulnerability assessments, Wire Tor ensures that your defenses are continuously updated and secure.

To stay ahead of emerging threats like Glove Stealer, organizations should partner with trusted security experts like Wire Tor Pentest Services. Penetration testing simulates real-world attacks to identify security weaknesses before cybercriminals can exploit them. With the ever-evolving landscape of cyber threats, continuous security assessments are essential for maintaining a strong defense.

Wire Tor Pentest Services specializes in identifying and mitigating vulnerabilities in web applications, mobile apps, servers, and networks. By leveraging cutting-edge tools and techniques, we can help safeguard your business from data theft, credential theft, and malware infections like Glove Stealer.

For more information on how Wire Tor Pentest Services can protect your systems, visit Wire Tor Pentest Services.

Glove Stealer is an emerging infostealer malware capable of bypassing Chrome’s App-Bound encryption to steal cookies and other sensitive information.The malware targets a wide range of applications, including cryptocurrency wallets, password managers, and email clients.Cybercriminals continue to adapt to new security features, making it crucial for businesses and individuals to stay vigilant with regular security audits and pen testing.Partnering with a trusted cybersecurity provider like Wire Tor Pentest Services can help ensure your systems are secure against evolving threats.

Protect your organization’s data today and stay ahead of cybercriminals with Wire Tor’s expert security solutions. Your digital assets deserve the best protection, and Wire Tor is here to provide it.