A new infostealer called VoidStealer uses a novel debugger technique to bypass Chrome's Application-Bound Encryption and extract the master decryption key. The FBI has issued a public service announcement confirming that Russian intelligence services are actively targeting Signal and WhatsApp users in phishing campaigns that have compromised thousands of accounts. The U.S. Department of Justice has disrupted command-and-control infrastructure behind IoT botnets responsible for record-breaking 31.4 Tbps DDoS attacks. A critical Quest KACE vulnerability is being exploited against education-sector targets.
A new information-stealing malware called VoidStealer has developed a technique to bypass Chrome's Application-Bound Encryption (ABE) — the security feature Google introduced to protect stored passwords, cookies, and session tokens from being extracted by malware.
Google introduced Application-Bound Encryption (ABE) in Chrome 127 as a major security upgrade. ABE ties encrypted data — passwords, cookies, autofill tokens, payment information — to the specific application that created it, making it significantly harder for malware to decrypt stolen browser data even with access to the Windows DPAPI keys.
VoidStealer has found a way around it. The malware uses a debugger attachment technique to hook into Chrome's process and extract the master encryption key before ABE protections are applied. By attaching to Chrome's internal processes as a debugger, VoidStealer can intercept the decryption key in memory — bypassing the entire ABE security model.
ABE was supposed to be the answer to the infostealer epidemic. Before ABE, any malware with local file access could decrypt Chrome's stored data using Windows DPAPI. ABE raised the bar significantly — but VoidStealer demonstrates that debugger-based attacks can circumvent it entirely. This technique is likely to be adopted by other infostealer families quickly.
Organizations relying on Chrome's built-in credential storage should consider this a wake-up call. Browser-stored passwords remain a high-value target, and defense-in-depth approaches — enterprise password managers, hardware-bound authentication, phishing-resistant MFA — are essential.
DebugActiveProcess and NtDebugActiveProcess API calls targeting browser processesThe FBI and CISA have issued a joint public service announcement warning that Russian intelligence-linked threat actors are conducting mass phishing campaigns against Signal and WhatsApp users, having already compromised thousands of accounts globally.
FBI Director Kash Patel confirmed in a public statement that threat actors affiliated with Russian Intelligence Services are systematically targeting users of commercial messaging applications (CMAs) including Signal and WhatsApp. The campaign specifically targets individuals of high intelligence value — current and former government officials, military personnel, political figures, and journalists.
The scale of the campaign is staggering. According to the FBI/CISA advisory, the operation has already resulted in the unauthorized access to thousands of individual accounts globally. Once an account is compromised, the attackers can:
The phishing campaigns use multiple techniques to compromise messaging accounts:
For EU organizations subject to NIS2, this advisory is directly relevant. Russian intelligence targeting of encrypted communications affects government contractors, critical infrastructure operators, and any organization with employees who may be considered "high intelligence value" targets. NIS2 Article 21 requires appropriate measures to protect communication security.
The U.S. Department of Justice has disrupted the command-and-control infrastructure of multiple IoT botnets — AISURU, Kimwolf, JackSkid, and Mossad — responsible for DDoS attacks measuring up to 31.4 Terabits per second.
In a court-authorized operation, U.S. law enforcement — with assistance from Canadian and German authorities — has dismantled the C2 infrastructure powering four major IoT botnets. The botnets collectively controlled approximately 3 million compromised IoT devices worldwide and launched DDoS attacks of unprecedented scale.
The record-breaking 31.4 Tbps attack, attributed to the AISURU/Kimwolf botnet, was first documented by Cloudflare in November 2025. To put this in perspective, that's roughly equivalent to the entire internet bandwidth of a mid-sized country being directed at a single target.
The investigation involved an unprecedented coalition of private-sector companies including Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. This level of cross-industry cooperation reflects the severity of the botnet threat to global internet infrastructure.
The fact that 3 million devices were conscripted into these botnets underscores the catastrophic state of IoT security. Default credentials, unpatched firmware, and lack of network segmentation continue to make IoT devices the easiest entry point for botnet operators. Under NIS2, manufacturers of connected devices will face new security requirements — but enforcement is still ramping up.
The United States has officially confirmed that the Handala hacktivist group operates on behalf of the Iranian government and has seized multiple domains used in cyber-enabled psychological operations.
The U.S. government has taken the significant step of officially attributing the Handala hacking group to the Iranian government, confirming what threat intelligence researchers have long suspected. Accompanying the attribution, federal authorities have seized several domains used by Handala in what the government describes as "cyber-enabled psychological operations."
Handala gained notoriety for destructive attacks including the recent Stryker wiper attack that affected tens of thousands of devices. The group operates under the guise of hacktivism but carries out operations that align with Iranian state interests — targeting defense contractors, critical infrastructure, and organizations in countries opposing Iranian foreign policy.
A critical vulnerability in Quest KACE (CVE-2025-32975) is being exploited in attacks targeting schools and universities. Quest KACE manages thousands of endpoints across education networks.
The Quest KACE Systems Management Appliance, widely deployed in educational institutions for endpoint management, software distribution, and asset inventory, is under active exploitation via CVE-2025-32975. The vulnerability allows attackers to gain unauthorized access to the management console and, from there, push malicious software to every managed endpoint.
Educational institutions are particularly vulnerable because:
In a sign of where the security industry sees the next major challenge, Oasis Security has raised $120 million to build out its agentic access management platform. As organizations deploy AI agents with autonomous capabilities — from code generation to infrastructure management — the question of how to manage and audit the access these agents have becomes critical.
Traditional identity and access management (IAM) was built for humans. AI agents operate differently — they may need broad permissions for short periods, make thousands of API calls per minute, and chain actions across multiple systems in ways that are difficult to audit with conventional tools. Oasis is building IAM specifically for this new paradigm.
The funding round reflects investor conviction that agentic AI security will be a multi-billion-dollar category as enterprise AI adoption accelerates. For organizations deploying AI agents, this is a reminder to:
| Threat | Severity | Type | Action Required |
|---|---|---|---|
| VoidStealer Chrome ABE Bypass | CRITICAL | Malware | Monitor for debugger attachment, migrate to password managers |
| Russian Signal/WhatsApp Phishing | CRITICAL | Nation-State | Audit linked devices, enable registration lock |
| IoT Botnets (AISURU/Kimwolf/JackSkid) | HIGH | Botnet Disruption | Audit IoT credentials, segment IoT networks |
| Handala/Iran Attribution & Seizures | HIGH | Nation-State | Review Iranian APT threat model, plan for wiper scenarios |
| Quest KACE (CVE-2025-32975) | HIGH | Vulnerability | Patch immediately, restrict management access |
| Agentic AI Access Risks | MEDIUM | Emerging Risk | Audit AI agent permissions, apply least privilege |
VoidStealer proves that browser encryption alone isn't enough. KENSAI scans your web applications, APIs, and infrastructure for the vulnerabilities attackers are actually exploiting — before they steal your credentials.
Start Your Free Security Scan →Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 23, 2026
Read more briefings →