ChromeAlone – Chromium Browser C2 Implant for Red Team Operations

DumpBrowserSecrets is a publicly documented post-exploitation credential-harvesting tool that targets major Windows browsers (Chrome, Edge, Brave, Opera family, Vivaldi, Firefox) to extract saved passwords, session cookies, OAuth refresh tokens, credit card data, autofill, history and bookmarks. It implements an App-Bound Encryption bypass for Chromium-based browsers by spawning a headless Chromium process and injecting a DLL to call the IElevator COM interface, handles DPAPI and NSS decryption for other browsers, and includes operational evasion features (string obfuscation, API hashing, PPID/argument spoofing, file-handle duplication). The report covers usage, extraction output (JSON), a realistic attack scenario, detection opportunities (injection, IElevator usage, non-browser reads of SQLite DBs), and mitigation recommendations such as using external credential managers.