Cybersecurity researchers have disclosed particulars of a brand new Python-based data stealer referred to as VVS Stealer (additionally styled as VVS $tealer) that is able to harvesting Discord credentials and tokens.
The stealer is claimed to have been on sale on Telegram way back to April 2025, in response to a report from Palo Alto Networks Unit 42.
“VVS stealer’s code is obfuscated by Pyarmor,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong mentioned. “This software is used to obfuscate Python scripts to hinder static evaluation and signature-based detection. Pyarmor can be utilized for official functions and in addition leveraged to construct stealthy malware.”
Marketed on Telegram because the “final stealer,” it is out there for €10 ($11.69) for a weekly subscription. It will also be bought at totally different pricing tiers: €20 ($23) for a month, €40 ($47) for 3 months, €90 ($105) for a 12 months, and €199 ($232) for a lifetime license, making it one of many most cost-effective stealers on the market.
Based on a report printed by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking menace actor, who can be energetic in stealer-related Telegram teams resembling Fantasy Stеaler and Еуes Steаlеr GC.
The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller bundle. As soon as launched, the stealer units up persistence by including itself to the Home windows Startup folder to make sure that it is robotically launched following a system reboot.
It additionally shows faux “Deadly Error” pop-up alerts that instruct customers to restart their computer systems to resolve an error and steal a variety of information –
- Discord information (tokens and account data)
- Net browser information from Chromium and Firefox (cookies, historical past, passwords, and autofill data)
- Screenshots
VVS Stealer can be designed to carry out Discord injection assaults in order to hijack energetic classes on the compromised system. To attain this, it first terminates the Discord software, if it is already operating. Then, it downloads an obfuscated JavaScript payload from a distant server that is liable for monitoring community visitors through the Chrome DevTools Protocol (CDP).
“Malware authors are more and more leveraging superior obfuscation methods to evade detection by cybersecurity instruments, making their malicious software program more durable to investigate and reverse-engineer,” the corporate mentioned. “As a result of Python is straightforward for malware authors to make use of and the complicated obfuscation utilized by this menace, the result’s a extremely efficient and stealthy malware household.”
The disclosure comes as Hudson Rock detailed how menace actors are utilizing data stealers to siphon administrative credentials from official companies after which leverage their infrastructure to distribute the malware through ClickFix-style campaigns, making a self-perpetuating loop.
“A big proportion of domains internet hosting these campaigns should not malicious infrastructure arrange by attackers, however official companies whose administrative credentials have been stolen by the very infostealers they’re now distributing,” the corporate mentioned.
