Cybersecurity researchers have uncovered a new threat named ZeroCrumb, an advanced malware that steals browser cookies and bypasses key security measures. Alarmingly, it was recently distributed through public GitHub repositories.
This malware targets cookies stored in popular browsers like Chrome, Brave, and Edge. These cookies often contain authentication data that allows users to stay logged into websites without re-entering passwords. By stealing them, attackers can hijack active sessions and access sensitive accounts directly.
Why ZeroCrumb Is Dangerous
Unlike many cookie stealers, ZeroCrumb does not require administrative privileges to work. It avoids triggering User Account Control (UAC) warnings, making it harder for users to notice when their systems are compromised.
The malware targets the encrypted storage used by browsers to protect cookies. It extracts authentication tokens that could give attackers access to email accounts, cloud storage, banking services, and corporate systems—all without needing passwords or breaking multi-factor authentication.
Researchers from KrakenLabs discovered the malware after detecting unusual data being sent from several corporate networks. Their findings suggest ZeroCrumb is a major step forward in how attackers steal credentials through browsers.
Wider Implications
With so many people using browser-based apps for work and personal use, stolen cookies can lead to quick and silent account takeovers. This makes ZeroCrumb a major threat to both individuals and businesses.
How It Works
ZeroCrumb uses a method called Transacted Hollowing to pose as a real Chrome browser process. This lets it bypass Chrome’s built-in security system known as the Chrome Elevation Service.
The malware accesses the IElevator COM interface to decrypt something called the App Bound Key, which is needed to unlock encrypted cookies.
It uses named pipes, a type of secure communication channel, to pass data. Any app with access to Windows APIs can connect to the “ZeroCrumb pipe” and extract the decryption key.
In some cases, ZeroCrumb is compiled as a DLL file, with the key dumper hidden in the library’s resource section. This allows attackers to use the malware in different ways, including hiding it in legitimate-looking programs.
Hard to Detect, Easy to Trust
ZeroCrumb is hard to detect because it mimics real browser processes while stealing data in the background. Its stealthy behavior makes it especially risky in corporate environments where trusted systems and applications are common.
