chromelevator.exe
chromelevator.exe is a native Windows credential-stealing payload observed in two distinct malicious contexts: as an embedded component of KORTEX Stealer v3.51.2 and as a payload delivered by the malicious npm package undicy-http. In KORTEX, chromelevator.exe is extracted at runtime from resource ID 101 (RT_RCDATA) and executed as a separate process. It is described as a dedicated bypass tool for Chrome App-Bound Encryption introduced in Chrome v127, abusing Chrome Mojo IPC named pipes rather than exploiting a CVE or patching Chrome binaries. Reported pipe patterns include mojo.%u.%u.%04X.chrome, chrome.sync.%u.%u.%04X, and chrome.nacl.%u_%04X, and results are returned via the named pipe DLL_PIPE_COMPLETION_SIGNAL. Strings including "App-Bound Encryption Key" and "Copilot App-Bound Encryption Key" indicate targeting of Chrome and Edge-related encrypted storage. The referenced sample was reportedly compiled on 2026-01-24 with SHA256 a95ad2f5dec66f6ce6c7ab58d158b64225437e42e2397b8f958bfa507ebb7dbe. In the undicy-http campaign, chromelevator.exe is a native Windows executable that injects into browser processes at the OS level and steals passwords, cookies, credit card numbers, IBANs, and session tokens from more than 50 browsers and over 90 cryptocurrency wallet extensions. It also targeted session data from Roblox, Instagram, Spotify, TikTok, Steam, and Telegram, as well as 28 desktop cryptocurrency wallets and six hardware wallet integrations including Ledger and Trezor. The broader campaign was attributed by JFrog to LofyGang, with exfiltration via Discord webhook and Telegram bot, and large stolen files uploaded to gofile.io or catbox.moe. The sample reportedly matched YARA rule MAL_Browser_Stealer_Dec25_2 associated with the broader GlassWorm Campaign framework. Across the provided reporting, chromelevator.exe is consistently characterized as a Windows browser-focused stealer and credential access tool used to bypass browser protections and extract sensitive data including cookies, saved credentials, payment data, wallet material, and session tokens.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The second is a native Windows executable called chromelevator.exe, which injects into browser processes at the operating system level to steal passwords, cookies, credit card numbers, IBANs, and session tokens from over 50 browsers and 90 cryptocurrency wallet extensions.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
2 techniques
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
4 techniques
Credential Access
NYX reads leveldb databases and Local State files, decrypts tokens protected by DPAPI using a PowerShell helper, and validates every recovered token against the Discord API...
The malware covers a wide range of targets, hitting eight major browsers including Chrome, Edge, Brave, Opera GX, and Firefox, while extracting cookies, saved passwords, payment card details, active session tokens, and IBANs from each one.
Once injected and fully active inside the browser, the payload extracts cookies, stored passwords, session tokens, payment card data, and IBANs across eight targeted browsers.
KORTEX handles three generations of Chrome credential protection in a single binary: Pre-v80 : Direct DPAPI via CryptUnprotectData v80 to v126 : AES-256-GCM decryption via BCryptDecrypt with DPAPI-protected keys v127+ : The embedded chromelevator.exe bypass
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A native Windows browser-stealing payload that injects into browser processes to steal passwords, cookies, credit card data, IBANs, session tokens, and cryptocurrency wallet data. It also uses direct syscalls to evade user-mode EDR and antivirus hooks.
A dedicated Chrome App-Bound Encryption bypass utility embedded within KORTEX. It connects to Chrome's Mojo IPC named pipes, derives runtime decryption keys through Chrome's internal communication protocol, and decrypts cookies and passwords for Chromium-based browsers including Chrome, Edge, and Brave.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.