Cybersecurity researchers have revealed details of a new Python-based information stealer called VVS Stealer (also known as VVS $tealer) that can collect Discord credentials and tokens.
Palo Alto Networks Unit 42 reports that the thief was allegedly sold on Telegram in April 2025.
“The VVS stealer code has been obfuscated by Pyarmor,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said. “This tool is used to obfuscate Python scripts to thwart static analysis and signature-based detection. Pyarmor can be used for legitimate purposes as well as for building stealth malware.”
It’s being promoted as the “ultimate steal” on Telegram and is available for a weekly subscription of 10 euros ($11.69). You can also purchase them in different price ranges. At 20 euros ($23) per month, 40 euros ($47) per three months, 90 euros ($105) per year, or 199 euros ($232) for a perpetual license, it’s one of the cheapest products on sale.
According to a report published by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking attacker who is also active in stealer-related Telegram groups such as Myth Stealer and Еуes Steаlеr GC.
Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller package. Once launched, the stealer adds itself to the Windows startup folder and sets persistence so that it starts automatically after the system restarts.
It also displays a fake “fatal error” pop-up alert that instructs the user to restart the computer to resolve the error and steal extensive data.
Discord data (tokens and account information) Web browser data from Chromium and Firefox (cookies, history, passwords, autofill information) Screenshots
VVS Stealer is designed to perform Discord injection attacks in order to hijack active sessions on compromised devices. To accomplish this, first close the Discord application if it is already running. It then downloads an obfuscated JavaScript payload via Chrome DevTools Protocol (CDP) from a remote server responsible for monitoring network traffic.
“Malware authors are increasingly leveraging sophisticated obfuscation techniques to evade detection by cybersecurity tools, making malicious software difficult to analyze and reverse engineer,” the company said. “Python is easy to use for malware authors, and this threat uses complex obfuscation, resulting in a highly effective and stealthy malware family.”
The disclosure was made by Hudson Rock as it details how attackers are using information thieves to siphon administrative credentials from legitimate companies and leverage their infrastructure to distribute malware through ClickFix-style campaigns, creating self-perpetuating loops.
“A significant percentage of the domains hosting these campaigns are legitimate businesses whose administrative credentials have been stolen by the very information thieves currently being distributed, rather than malicious infrastructure set up by attackers,” the company said.
Source link
