A sophisticated credential theft technique, identified as T1555.003 in the MITRE ATT&CK framework, has emerged as a significant threat to organizations worldwide.
This technique enables adversaries to extract usernames and passwords directly from web browsers, which commonly store these credentials to streamline user logins and improve convenience.
As a result, attackers can gain unauthorized access to both personal and enterprise accounts, increasing the risk of privilege escalation and lateral movement within targeted networks.
.png
)
Attackers Steal Passwords From Web Browsers
The T1555.003 technique exploits the convenience feature in modern browsers that saves login credentials.
According to recent research, web browsers typically store these credentials in an encrypted format within a credential store, but threat actors have developed methods to extract them in plaintext.
On Windows systems, attackers can access Google Chrome’s encrypted credentials by targeting the database file located at AppData\Local\Google\Chrome\User Data\Default\Login Data and executing the SQL query: SELECT action_url, username_value, password_value FROM logins;.
The encrypted data is then decrypted using the Windows API function CryptProtectData, which leverages the victim’s cached logon credentials as the decryption key.
Similar vulnerabilities exist across other popular browsers including Firefox, Edge, and Safari. The implications are severe as compromised browser credentials often lead to privilege escalation when these credentials overlap with administrative accounts.
Threat Actors Actively Exploiting the Vulnerability
Security telemetry data shows seven major APT groups are actively deploying this technique:
“We’ve seen a significant increase in browser credential theft operations since early 2025,” explains cybersecurity researcher Steven Lim.
“The query results shown in the threat intelligence dashboard reflect over 6,000 active indicators related to this technique.”
The most prominent threat is Agent Tesla, a spyware that can harvest credentials from multiple browsers while also collecting screenshots and clipboard data.
Another concerning actor is APT41, a Chinese cyber threat group conducting both state-sponsored espionage and financially motivated operations.
Other actors exploiting this vulnerability include the Iranian-linked Ajax Security Team, China-based APT3, Iranian military-affiliated APT33, North Korean group APT37, and Iran’s IRGC-associated APT42.
Security analysts have identified numerous observables related to this attack. The most common include:
- File hashes with SHA-256 signatures showing 3,729 indicators and SHA-1 with 256 indicators.
- MD5 hashes with 859 instances at 75% confidence and 68 cases at 83% confidence.
- URL and domain indicators show 584 and 170 matches, respectively.
- Network traffic source references with 154 indicators.
To detect these attacks, organizations should monitor file access patterns to browser credential stores. Security tools can generate Event ID 4663 logs when unauthorized processes attempt to access browser files like Local State or Login Data.
Experts recommend implementing multi-factor authentication, regularly changing passwords, and limiting privileged access.
For technical teams, monitoring file system access to browser credential stores using tools like Sigma rules can improve detection capabilities.
Organizations should also consider deploying modern credential management solutions that provide additional protection layers beyond what browsers natively offer.
As this threat continues to evolve, security professionals must remain vigilant. With over 6,000 active threat indicators currently circulating, the risk of credential compromise through browser storage mechanisms remains critically high.
Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar
