In yet another warning shot to the business world, cybercriminals are now actively exploiting a known MITRE ATT&CK technique—T1555.003—to extract saved passwords from popular web browsers.
According to a report from CyberSecurityNews, the attack targets sensitive credential stores in Chrome, Edge, Brave, and Opera using the built-in Windows Data Protection API (DPAPI).
This isn’t a theoretical risk—it’s a tactic now being deployed in the wild.
T1555.003 refers to a credential access technique in the MITRE ATT&CK framework that allows adversaries to extract web credentials stored in browsers. These credentials are often protected by DPAPI, which is supposed to ensure they are only accessible by the same user account. But if the attacker already has access to the system—whether via malware, phishing, or credential stuffing—they can extract and decrypt these credentials with relative ease.
And that’s exactly what’s happening now.
The malicious code:
Accesses browser configuration paths and local credential stores
Decodes and extracts the logins.json or Login Data SQLite files
Uses PowerShell and .NET-based scripts to decrypt usernames and passwords
Collects and exfiltrates credentials for remote access or future exploitation
Attackers can then use the stolen credentials to pivot deeper into business networks or access sensitive business tools—cloud accounts, financial dashboards, customer databases—you name it.
Most cybersecurity solutions rely on a reactive “detect and respond” model. The idea is to catch bad behavior as it happens or shortly after. But here’s the catch: T1555.003 doesn’t require malware to stay resident on your system. Once the attacker has access, even briefly, they can extract and decrypt saved passwords quickly—before any EDR or AV tool even raises a red flag.
By the time your detection tools respond, the attacker is already gone—with your credentials in hand.
This is exactly why businesses need to rethink their endpoint strategy.
AppGuard takes a fundamentally different approach.
Instead of chasing malware or trying to analyze behavior after-the-fact, AppGuard assumes everything is guilty until proven safe. It isolates and contains processes at the kernel level, stopping malicious actions—even if the malware is brand new or fileless.
Here’s what that means in practice:
Suspicious processes (like PowerShell or scripts accessing DPAPI) are prevented from running or interacting with protected system resources
Even if a user is tricked into clicking something malicious, the payload can’t execute
Credential-stealing techniques like T1555.003 are neutralized before they start
AppGuard doesn’t need to recognize the threat—it simply stops it from doing harm.
AppGuard has a 10-year track record of successfully defending some of the most targeted organizations in the world. It’s now available for commercial use, bringing the same military-grade containment to small and mid-sized businesses.
If your employees use browsers to manage passwords (and let’s be honest—they do), your business is vulnerable to T1555.003 and similar threats.
Let’s stop pretending "Detect and Respond" is enough.
It’s time to move to “Isolation and Containment.”
At CHIPS, we help businesses like yours take a proactive stance against today’s most sophisticated cyber threats. Let us show you how AppGuard can prevent incidents like this—before they even have a chance to begin.
📞 Reach out today to learn how AppGuard can lock down your endpoints and protect your credentials from the next wave of attacks.
Like this article? Please share it with others!