Bypass Record
Process Injection × Google Chrome
A publicly-reported instance of Process Injection bypassing Google Chrome, recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
bypass of Chromium's App-Bound Encryption (ABE) to extract cookies, passwords, browsing history, autofill data, and payment information from Chrome
Mechanism
The tool launches a legitimate browser in a suspended state, then uses reflective DLL injection and process hollowing to inject a payload that hijacks the browser's security context. It employs direct syscalls to bypass user-land API hooks, allowing decryption of ABE-protected data in memory without triggering endpoint detection. It also terminates browser utility processes that hold file locks on target databases.
Detection & mitigation
Monitor for process hollowing by detecting creation of suspended processes followed by memory modifications (e.g., NtWriteVirtualMemory, NtMapViewOfSection) and thread resumption, especially targeting browsers. Use endpoint detection and response (EDR) with syscall monitoring or kernel callbacks to catch direct syscall-based injection, and enforce application control to block untrusted executables from launching browsers in suspended mode.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.