VoidStealer Malware: Why Saved Browser Passwords Are a Risk

If your staff save passwords in Chrome or Edge on Windows, there’s a new piece of malware worth knowing about. It’s called VoidStealer, and what makes it different from the usual threats is how quietly it works.

VoidStealer first appeared on darkweb forums in December 2025 as a pay-monthly service that criminals can rent to run attacks at scale. Version 2.0, released in March 2026, introduced a technique that bypasses the encryption Chrome uses to protect your saved passwords. Rather than doing anything noisy that antivirus software would normally catch, it attaches itself to the browser like a debugger and waits for the split second when the encryption key appears in memory. No elevated permissions. No code injected into the browser. It reads the key, decrypts everything, and leaves.

That “everything” includes saved passwords, session cookies (which let an attacker log into your accounts without ever needing your password), card autofill details, and two-factor authentication tokens.

What this means for your business

One infected laptop can hand an attacker the keys to your Microsoft 365 account, your email, your banking portal, and your VPN. Those credentials tend to get sold on quickly, which means the person breaking in next week may have no connection to whoever planted the malware in the first place.

The honest truth is that browser password storage was never designed to be a company’s main line of defence. VoidStealer is just the latest reason to treat it that way.

Practical steps worth taking now

• Move away from saved browser passwords. A dedicated password manager like Bitwarden or 1Password stores credentials in a way that isn’t vulnerable to this kind of attack.
• Keep Windows, Chrome, and Edge up to date. Security patches close the gaps these tools exploit. Set updates to run automatically if you haven’t already.
• Make sure antivirus is running and current on every Windows machine. VoidStealer still needs to land on the PC somehow, usually through a phishing email, a fake download, or cracked software.
• Turn on multi-factor authentication (MFA) for email, Microsoft 365, and anything business-critical. A stolen password is far less useful if there’s a second check required to log in.
• Talk to your staff about phishing. The delivery method here is the same as most malware: something that looked legitimate until it wasn’t. If you’re not sure whether your current setup covers these points, it’s worth a conversation with whoever looks after your IT. Our cybersecurity services include a review of exactly this kind of thing, and managed IT support covers keeping your machines patched and monitored so threats like this have fewer ways in.

Worth knowing about, even if nothing changes immediately.