The Void: A New MaaS Infostealer Targeting 20+ Browsers

In 2025, infostealers stole 1.8 billion credentials from 5.8 million devices, an 800% year-over-year increase. The downstream impact is staggering: over 54% of ransomware victims in 2024-25 had their domain credentials appear on infostealer marketplaces before any actual attack took place.

Now, we’ve been tracking a new entrant called “The Void,” which has been sold on cybercrime networks since late 2025. It advertises broad browser and extension coverage, targeting everything from mainstream browsers to crypto wallets and password managers.

In particular, The Void targets 20+ Chromium and Gecko-based browsers, including Chrome, Edge, Brave, Opera, and Firefox variants. It also harvests data from 100+ extensions, including crypto wallets like MetaMask and Phantom, password managers, and authenticator apps.

This broad coverage reflects ongoing investment in the platform. The builder interface shows updates as recent as January 19, 2026, and lets operators configure targeting options, output formats, and delivery mechanisms.

Bypassing Chrome Cookie Protection

This active development cycle appears to have yielded results against recent browser defenses. The toolkit claims compatibility with Chrome’s App-Bound Encryption, the cookie protection Google introduced in mid-2024 that binds decryption keys to the Chrome application identity.

Configuration options like CHROMEkeys=v10,v20 indicate support for both legacy and current encryption methods, suggesting the developers are closely tracking browser security updates.

The configuration panel reveals further targeting specifics: browser data paths, Telegram notification templates with variables like , , , and , and file collection patterns. This level of configurability is typical of more mature/advanced MaaS offerings.

Stolen data flows into a command-and-control dashboard that gives operators an overview of their campaign. Counters update in real-time as new victims are compromised, and the geographic breakdown helps identify which regions are being affected.

The dashboard turns stolen data into a searchable database. Operators can filter by URL, country, application, or extension type to find exactly what they need, whether that’s banking credentials, crypto wallets, or social media logins.

Each row represents a compromised individual. The columns show cookie counts, password counts, autofill data, detected applications, and file sizes. In one example, a single victim yielded over 12,000 cookies and 1,200 autofill entries, representing years of browsing history in a 9MB download.

Behind the user interface, the operators describe an infrastructure designed to reduce the impact of disruptions. They say many infostealer operations rely on simple NGINX relay nodes that forward traffic to a central panel, which creates two problems: if the main panel goes down, traffic goes nowhere, and high-volume traffic can attract attention from scanners and trigger abuse reports.

In their design, they claim “gaskets” act as full receivers that accept traffic, aggregate and package logs, and forward them to a main decryption server. They further claim that if the main panel becomes unavailable, the gaskets can continue collecting logs and later hand them over once the decryption server is ready.

The malware also avoids hardcoded server addresses. Instead, it pulls connection details from Telegram channels or Steam, allowing operators to update infrastructure with fewer payload rebuilds. The control panel is hosted on Tor and the operators claim it stores minimal data about users.

The “Google Cookie Restore” feature below likely uses a type of technique where stolen Google authentication tokens are exchanged to re-issue valid session cookies, potentially restoring access even after the original cookies expire. The SOCKS5 proxy support lets operators route through IPs near the victim’s location, avoiding “new login from unusual location” alerts.

This extends compromise value beyond initial theft: operators can maintain persistent access to Gmail, Drive, and Workspace accounts.

Operators can also retrieve data in bulk through the download interface, pulling entire campaigns worth of stolen credentials filtered and packaged for credential stuffing, targeted phishing, or resale.

Given these evasion capabilities, teams should look at these exfiltration behaviours:

• Tor traffic and Telegram Bot API calls from endpoints.
• Processes accessing multiple browser user directories in quick succession.
• Direct syscall usage outside normal application behavior.
• Large outbound transfers to unknown destinations.
• Connections to recently registered or low-reputation domains.

Egress filtering on data movement over malware signatures will catch more here.

This toolkit lets almost anyone run credential theft campaigns targeting 20+ browsers and 100+ extensions. Server-side decryption defeats signature-based detection, direct syscalls bypass EDR hooks, and dynamic C2 resolution via Telegram/Steam evades static blocklists. But every infostealer shares one requirement: stolen data must leave the device.

This is where anti data exfiltration (ADX) technology provides defense where detection fails. ADX monitors outbound traffic in real-time. Rather than detecting malicious code, it focuses on data movement itself: identifying when sensitive data is transmitted to unauthorized destinations, blocking transfers to suspicious endpoints, and stopping exfiltration as it happens.

Even if the stealer executes and harvests credentials, the data never reaches the attacker. No exfiltration means no breach.

Contact BlackFog to learn more about our exciting products.

The core technical details of how The Void operates and evades detection include:

• Language: C/C++, x64 native binary
• System Calls: Direct syscalls via syscall instruction, avoiding ntdll.dll hooks
• Evasion: Bypasses EDR userland hooks by calling kernel directly
• Communication: HTTPS with XOR obfuscation layer on payload
• Decryption: Server-side only – SQLite databases transmitted encrypted
• Anti-Analysis: “Morpher” obfuscation, VM/sandbox detection
• Size: ~600KB (base), 1-1.5MB (morphed)