Vidar Infostealer Bypasses Google Chrome’s ABE Encryption via APC Injection

Gen Threat Labs reports that the Vidar infostealer has evolved to bypass Chrome’s 2024 Application-Bound Encryption (ABE) by forking browser processes (via NtCreateProcessEx with a null section) to create copy-on-write memory snapshots, scanning for Chromium’s Encryptor::KeyRing entries (the v20_master_key), and using APC injection to invoke CryptUnprotectMemory in-process to decrypt and extract the master key; the malware then re-encrypts memory to avoid forensic traces and includes an IoC SHA-256 for detection.