Cybersecurity researchers have recently disclosed details about a new Python-based information stealer known as VVS Stealer (also referred to as VVS Stealer). This malware is designed to harvest Discord credentials and tokens, posing a significant threat to users of the platform.
According to a report from Palo Alto Networks’ Unit 42, VVS Stealer has been available for purchase on Telegram since April 2025. It is marketed as the “ultimate stealer” and comes at a low cost: €10 ($11.69) for a weekly subscription, with additional pricing tiers of €20 ($23) for a month, €40 ($47) for three months, €90 ($105) for a year, and €199 ($232) for a lifetime licence. This pricing makes it one of the most affordable stealers on the market.
Researchers Pranay Kumar Chhaparwal and Lee Wei Yeong noted that VVS Stealer’s code is obfuscated using a tool called Pyarmor. This technique complicates static analysis and signature-based detection, allowing the malware to evade many cybersecurity measures. Although Pyarmor can be used for legitimate purposes, it is increasingly being exploited to create stealthy malware.
VVS Stealer is distributed as a PyInstaller package, which makes it easy to run on Windows systems. Once launched, it adds itself to the Windows Startup folder, ensuring it automatically starts every time the computer is rebooted. The malware also displays fake “Fatal Error” pop-up alerts, misleading users into restarting their computers, which aids in its data theft.
Data Theft Capabilities
VVS Stealer is capable of stealing a wide range of information, including:
- Discord data such as tokens and account information.
- Web browser data from popular browsers like Chromium and Firefox, including cookies, browsing history, passwords, and autofill information.
- Screenshots of users’ screens.
Additionally, VVS Stealer can perform Discord injection attacks to hijack active sessions on compromised devices. To execute this, the malware terminates the Discord application if it is already running and downloads an obfuscated JavaScript payload from a remote server. This payload monitors network traffic using the Chrome DevTools Protocol (CDP).
The rise of VVS Stealer reflects a troubling trend in which malware authors are increasingly leveraging advanced obfuscation techniques to evade detection. This makes malicious software harder to analyse and reverse-engineer. The ease of using Python, combined with complex obfuscation, results in a highly effective and stealthy malware family.
The disclosure of VVS Stealer comes amid reports from Hudson Rock, which detail how threat actors are using information stealers to siphon administrative credentials from legitimate businesses. Alarmingly, many of the domains distributing this malware are not malicious in nature but belong to businesses whose credentials have been stolen.
In conclusion,
As the threat landscape continues to evolve, it is crucial for user ,particularly those active on platforms like Discord,to remain vigilant. Employing strong and unique passwords, enabling two-factor authentication, and utilising reputable antivirus software are vital steps in protecting oneself against these emerging threats.
Author:Oje.Ese