How Infostealers Hijack Google Accounts Using Cookies?

The digital security landscape is witnessing a formidable challenge as sophisticated infostealers develop new methods to compromise Google accounts. This alarming trend, highlighted by CloudSEK, showcases a technique that allows these malicious entities to bypass traditional security measures such as password changes. CloudSEK's research reported that multiple infostealer malware families were abusing Google's undocumented OAuth MultiLogin endpoint to regenerate Google authentication cookies, allowing attackers to restore access to Google services even after a password reset in certain cases.

In 2026, this risk has become broader than one specific technique. Google has warned that session theft commonly happens when users unknowingly download infostealer malware, which can silently extract session cookies from the browser or wait until the user logs in and then steal fresh authentication tokens. This development underscores the need for a deeper understanding of contemporary cyber threats and the continuous evolution of cyber defense strategies.

What are Persistent Cookies?

Persistent cookies are data files that a web browser stores on a user's computer to remain available across sessions. While they can be used for tracking purposes, their primary function extends beyond tracking and includes maintaining user preferences, authentication, and personalization for improved user experience on websites. Unlike session cookies that expire once the browser is closed, persistent cookies remain until a set expiration date. They remember user preferences, login details, and other information that facilitates a smoother online experience.

In account hijacking attacks, the main danger is not the normal use of cookies but the theft of authenticated cookies or session tokens from an infected device. If attackers steal these tokens, they may be able to replay the session and access the account without entering the password again. This is why cookie theft is often treated as session hijacking.

The Attack Technique

The MultiLogin endpoint, a key component in synchronizing accounts across Google services, becomes a tool for attackers when combined with the account ID and tokens extracted from Chrome. The browser, storing Google Accounts and ID Administration (GAIA) IDs and encrypted tokens, becomes a treasure trove for attackers who extract and decrypt these tokens using an encryption key found in Chrome's Local State within the UserData directory. This process, part of Google's OAuth system, allows for regenerating Google cookies.

This technique was widely reported in late 2023 and early 2024, but the threat has continued to evolve. In July 2024, Google introduced Chrome App-Bound Encryption on Windows to better protect cookies by binding encrypted browser data more closely to the Chrome application.

However, browser-level protections did not completely eliminate the risk. Security researchers later observed that infostealers adapted by finding ways around App-Bound Encryption, including techniques that require access to the Chrome process or elevated privileges. This means cookie theft remains a serious threat even when browsers introduce stronger protections.

In April 2026, Google announced Device Bound Session Credentials (DBSC), a Chrome security feature designed to reduce session theft by cryptographically binding authentication sessions to a specific device. DBSC uses hardware-backed security modules, such as TPM on Windows and Secure Enclave on macOS, to generate a private key that cannot be exported from the machine. This makes it harder for attackers to use stolen session cookies on another device.

Defending Against Cookie-Based Infostealer Attacks

  1. Regular Malware Scans: Ensure the use of dependable antivirus software and routinely perform system scans to identify and eliminate any infostealers present. Organizations should also use endpoint detection and response tools because modern infostealers may evade basic antivirus checks.
  2. Caution with Downloads and Links: Be vigilant about the sources of your downloads and the links you click on, especially in emails from unknown senders. Infostealers are often delivered through fake software, cracked tools, phishing attachments, malicious ads, and social engineering campaigns.
  3. Use Multi-Factor Authentication (MFA): Multi-Factor Authentication (MFA) enhances security by providing an additional protective barrier, significantly reducing the likelihood of unauthorized access by attackers. However, MFA alone may not fully stop cookie hijacking because stolen session cookies can allow attackers to bypass the login process after MFA has already been completed. For stronger protection, users and organizations should adopt phishing-resistant authentication methods such as passkeys or hardware security keys where possible. Google's Advanced Protection Program, for example, requires a passkey or security key to verify identity during sign-in.
  4. Regularly Clear Cookies: Periodically clearing cookies from your browser can limit the amount of data available to potential attackers. Users should also sign out of sensitive accounts on shared or unmanaged devices and regularly review active sessions.
  5. Update and Patch Regularly: Keeping your software, especially your browser, up-to-date ensures that known vulnerabilities are patched, reducing the risk of malware infections. This is especially important as browser vendors continue introducing security improvements such as Chrome App-Bound Encryption and Device Bound Session Credentials to reduce cookie-theft risks.
  6. Educate Yourself and Others: Awareness of how these attacks work can significantly reduce the risk of falling victim to them. Education about cybersecurity best practices is vital.
  7. Monitor Account Activity: Users and organizations should regularly review login history, connected devices, OAuth app permissions, and security alerts. Suspicious sessions should be revoked immediately.
  8. Revoke Sessions After Infection: If an infostealer infection is suspected, changing the password alone may not be enough. Users should first remove malware from the device, then change passwords, revoke active sessions, reset tokens where possible, and re-enable MFA or passkeys from a clean device.

Conclusion

The emergence of this new technique by infostealers marks a critical juncture in cybersecurity. It underscores the need for users and organizations to remain vigilant, continually update security measures, and understand the complexities of modern cyber threats. While Google has introduced stronger protections such as Chrome App-Bound Encryption and Device Bound Session Credentials, infostealer malware continues to evolve. Therefore, users should not rely only on passwords or MFA. Strong endpoint protection, safe browsing habits, session monitoring, passkeys, regular updates, and quick response after malware infection are essential to reducing the risk of cookie-based Google account hijacking.