Vidar Malware Bypasses Chrome Encryption Using CryptUnprotectMemory

**Executive Summary:** The report documents a sophisticated Vidar infostealer technique that forks Chrome processes, scans live memory to locate the Chromium Encryptor::KeyRing v20 node, and uses APC-based in-process calls to CryptUnprotectMemory to extract and validate the v20_master_key, then re-encrypts memory to cover traces; it includes detection guidance (monitor NtCreateProcessEx with null section handles and APC queuing into browser threads) and an IoC hash for the sample.