← Back to Blog
Security Briefing 10 min read March 23, 2026

VoidStealer Bypasses Chrome's Encryption via Debugger Trick, FBI Links Signal Phishing to Russian Intelligence, DoJ Disrupts Record-Breaking 31.4 Tbps IoT Botnets

A new infostealer called VoidStealer uses a novel debugger technique to bypass Chrome's Application-Bound Encryption and extract the master decryption key. The FBI has issued a public service announcement confirming that Russian intelligence services are actively targeting Signal and WhatsApp users in phishing campaigns that have compromised thousands of accounts. The U.S. Department of Justice has disrupted command-and-control infrastructure behind IoT botnets responsible for record-breaking 31.4 Tbps DDoS attacks. A critical Quest KACE vulnerability is being exploited against education-sector targets.


1. VoidStealer Malware Steals Chrome Master Key via Debugger Trick

⚠️ CRITICAL — Chrome's Application-Bound Encryption Bypassed

A new information-stealing malware called VoidStealer has developed a technique to bypass Chrome's Application-Bound Encryption (ABE) — the security feature Google introduced to protect stored passwords, cookies, and session tokens from being extracted by malware.

Google introduced Application-Bound Encryption (ABE) in Chrome 127 as a major security upgrade. ABE ties encrypted data — passwords, cookies, autofill tokens, payment information — to the specific application that created it, making it significantly harder for malware to decrypt stolen browser data even with access to the Windows DPAPI keys.

VoidStealer has found a way around it. The malware uses a debugger attachment technique to hook into Chrome's process and extract the master encryption key before ABE protections are applied. By attaching to Chrome's internal processes as a debugger, VoidStealer can intercept the decryption key in memory — bypassing the entire ABE security model.

How VoidStealer Works

Why This Matters

ABE was supposed to be the answer to the infostealer epidemic. Before ABE, any malware with local file access could decrypt Chrome's stored data using Windows DPAPI. ABE raised the bar significantly — but VoidStealer demonstrates that debugger-based attacks can circumvent it entirely. This technique is likely to be adopted by other infostealer families quickly.

Organizations relying on Chrome's built-in credential storage should consider this a wake-up call. Browser-stored passwords remain a high-value target, and defense-in-depth approaches — enterprise password managers, hardware-bound authentication, phishing-resistant MFA — are essential.

Immediate Actions


2. FBI Issues PSA: Russian Intelligence Services Targeting Signal and WhatsApp Users

⚠️ CRITICAL — Thousands of Encrypted Messaging Accounts Already Compromised

The FBI and CISA have issued a joint public service announcement warning that Russian intelligence-linked threat actors are conducting mass phishing campaigns against Signal and WhatsApp users, having already compromised thousands of accounts globally.

FBI Director Kash Patel confirmed in a public statement that threat actors affiliated with Russian Intelligence Services are systematically targeting users of commercial messaging applications (CMAs) including Signal and WhatsApp. The campaign specifically targets individuals of high intelligence value — current and former government officials, military personnel, political figures, and journalists.

The scale of the campaign is staggering. According to the FBI/CISA advisory, the operation has already resulted in the unauthorized access to thousands of individual accounts globally. Once an account is compromised, the attackers can:

Attack Methodology

The phishing campaigns use multiple techniques to compromise messaging accounts:

NIS2 Implications

For EU organizations subject to NIS2, this advisory is directly relevant. Russian intelligence targeting of encrypted communications affects government contractors, critical infrastructure operators, and any organization with employees who may be considered "high intelligence value" targets. NIS2 Article 21 requires appropriate measures to protect communication security.

Immediate Actions


3. DoJ Disrupts IoT Botnets Behind Record 31.4 Tbps DDoS Attacks

🔶 HIGH — International Law Enforcement Dismantles Massive Botnet Infrastructure

The U.S. Department of Justice has disrupted the command-and-control infrastructure of multiple IoT botnets — AISURU, Kimwolf, JackSkid, and Mossad — responsible for DDoS attacks measuring up to 31.4 Terabits per second.

In a court-authorized operation, U.S. law enforcement — with assistance from Canadian and German authorities — has dismantled the C2 infrastructure powering four major IoT botnets. The botnets collectively controlled approximately 3 million compromised IoT devices worldwide and launched DDoS attacks of unprecedented scale.

The record-breaking 31.4 Tbps attack, attributed to the AISURU/Kimwolf botnet, was first documented by Cloudflare in November 2025. To put this in perspective, that's roughly equivalent to the entire internet bandwidth of a mid-sized country being directed at a single target.

The Botnets

Private Sector Coalition

The investigation involved an unprecedented coalition of private-sector companies including Akamai, AWS, Cloudflare, DigitalOcean, Google, Lumen, Nokia, Okta, Oracle, PayPal, SpyCloud, Synthient, Team Cymru, Unit 221B, and QiAnXin XLab. This level of cross-industry cooperation reflects the severity of the botnet threat to global internet infrastructure.

IoT Security Takeaway

The fact that 3 million devices were conscripted into these botnets underscores the catastrophic state of IoT security. Default credentials, unpatched firmware, and lack of network segmentation continue to make IoT devices the easiest entry point for botnet operators. Under NIS2, manufacturers of connected devices will face new security requirements — but enforcement is still ramping up.

Immediate Actions


4. US Confirms Handala Link to Iranian Government, Seizes Hacker Sites

🔶 HIGH — Iranian State-Sponsored Hacktivism Officially Attributed

The United States has officially confirmed that the Handala hacktivist group operates on behalf of the Iranian government and has seized multiple domains used in cyber-enabled psychological operations.

The U.S. government has taken the significant step of officially attributing the Handala hacking group to the Iranian government, confirming what threat intelligence researchers have long suspected. Accompanying the attribution, federal authorities have seized several domains used by Handala in what the government describes as "cyber-enabled psychological operations."

Handala gained notoriety for destructive attacks including the recent Stryker wiper attack that affected tens of thousands of devices. The group operates under the guise of hacktivism but carries out operations that align with Iranian state interests — targeting defense contractors, critical infrastructure, and organizations in countries opposing Iranian foreign policy.

What This Means for Organizations


5. Quest KACE Critical Vulnerability Exploited in Education Sector Attacks

🔶 HIGH — Widely Deployed Systems Management Tool Under Active Exploitation

A critical vulnerability in Quest KACE (CVE-2025-32975) is being exploited in attacks targeting schools and universities. Quest KACE manages thousands of endpoints across education networks.

The Quest KACE Systems Management Appliance, widely deployed in educational institutions for endpoint management, software distribution, and asset inventory, is under active exploitation via CVE-2025-32975. The vulnerability allows attackers to gain unauthorized access to the management console and, from there, push malicious software to every managed endpoint.

Educational institutions are particularly vulnerable because:

Immediate Actions


6. Oasis Security Raises $120M for Agentic Access Management

In a sign of where the security industry sees the next major challenge, Oasis Security has raised $120 million to build out its agentic access management platform. As organizations deploy AI agents with autonomous capabilities — from code generation to infrastructure management — the question of how to manage and audit the access these agents have becomes critical.

Traditional identity and access management (IAM) was built for humans. AI agents operate differently — they may need broad permissions for short periods, make thousands of API calls per minute, and chain actions across multiple systems in ways that are difficult to audit with conventional tools. Oasis is building IAM specifically for this new paradigm.

The funding round reflects investor conviction that agentic AI security will be a multi-billion-dollar category as enterprise AI adoption accelerates. For organizations deploying AI agents, this is a reminder to:


Daily Threat Summary

ThreatSeverityTypeAction Required
VoidStealer Chrome ABE BypassCRITICALMalwareMonitor for debugger attachment, migrate to password managers
Russian Signal/WhatsApp PhishingCRITICALNation-StateAudit linked devices, enable registration lock
IoT Botnets (AISURU/Kimwolf/JackSkid)HIGHBotnet DisruptionAudit IoT credentials, segment IoT networks
Handala/Iran Attribution & SeizuresHIGHNation-StateReview Iranian APT threat model, plan for wiper scenarios
Quest KACE (CVE-2025-32975)HIGHVulnerabilityPatch immediately, restrict management access
Agentic AI Access RisksMEDIUMEmerging RiskAudit AI agent permissions, apply least privilege

Is Your Browser Security Keeping Up?

VoidStealer proves that browser encryption alone isn't enough. KENSAI scans your web applications, APIs, and infrastructure for the vulnerabilities attackers are actually exploiting — before they steal your credentials.

Start Your Free Security Scan →

Published by the KENSAI Threat Intelligence Team
Daily Security Briefing — March 23, 2026
Read more briefings →

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →

Related Articles

Citrix NetScaler Actively Exploited (CVE-2026-3055), F5 BIG-IP RCE Upgraded to C 设备代码钓鱼攻击激增37倍,TA416攻击欧洲政府,LinkedIn BrowserGate扫描6000+扩展,Qilin勒索软件袭击Die Linke Citrix NetScaler aktiv ausgenutzt (CVE-2026-3055), F5 BIG-IP RCE auf kritisch ho