If you’re a Discord user, you might want to pay attention to this one. Security researchers have recently uncovered a nasty piece of malware called VVS Stealer (sometimes written as VVS $tealer) that’s specifically designed to go after Discord users. What makes this particular threat stand out from the crowd is its clever use of obfuscation techniques that help it slip past most security tools undetected.

Let’s take a closer look at what this malware actually does, how it manages to stay hidden, and most importantly, what you can do to keep yourself safe.

So, What Exactly is VVS Stealer?

VVS Stealer is essentially a credential-stealing malware written in Python. Its primary targets? Discord users. According to researchers at Palo Alto Networks Unit 42, this stealer has been actively developed and sold on Telegram since around April 2025. The people behind it aren’t just giving it away either — they’ve set up a whole subscription model for it.

Here’s what their pricing looks like:

Plan Price
Weekly €10
Monthly €20
3 Months €40
Yearly €90
Lifetime €199

They even throw in a one-day trial for potential buyers. It’s honestly kind of disturbing how professional these cybercriminals have become with their “products.”

What Can VVS Stealer Actually Do?

This isn’t some amateur script kiddie project. VVS Stealer comes packed with a pretty comprehensive set of features designed to extract as much valuable information as possible from victims. Here’s a visual breakdown of how the attack flows:

flowchart TD A[🎯 Victim Downloads Infected File] --> B[📦 PyInstaller Unpacks] B --> C[🔓 Pyarmor Deobfuscation at Runtime] C --> D{Malware Executes} D --> E[🎮 Discord Data Theft] D --> F[🌐 Browser Data Theft] D --> G[💉 Discord Injection] D --> H[📁 Startup Persistence] E --> E1[Find Encrypted Tokens] E1 --> E2[Decrypt via DPAPI + AES-GCM] E2 --> E3[Query Discord API] F --> F1[Extract Cookies] F --> F2[Extract Passwords] F --> F3[Extract Autofill Data] G --> G1[Kill Discord Process] G1 --> G2[Inject Malicious JS] G2 --> G3[Monitor User Actions] E3 --> I[📤 Exfiltrate via Discord Webhook] F3 --> I G3 --> I H --> J[⚠️ Display Fake Error Message]

Let’s break down each of these capabilities.

Discord Data Theft

The malware’s main focus is hunting down your Discord information. It looks for encrypted Discord tokens by searching through LevelDB files (those .ldb and .log files in your Discord data folder). What it’s specifically looking for are strings that start with a particular prefix:

# How VVS Stealer identifies Discord tokens
TOKEN_PREFIX = "dQw4w9WgXcQ:"
FILE_EXTENSIONS = [".ldb", ".log"]
SEARCH_LOCATION = "Discord LevelDB directory"

Once it finds these encrypted tokens, it uses Windows’ built-in Data Protection API (DPAPI) combined with AES-GCM encryption to decrypt them. Pretty clever, actually — it’s using your own system’s security features against you.

With those decrypted tokens, the malware can then hit up Discord’s API and grab all sorts of personal info:

Category What Gets Stolen
Account Info User ID, Username, Email, Phone number
Subscription Nitro status, Payment methods
Social Friends list, Guild memberships
Security MFA status, Verification status
Profile Avatar image
System IP address (via ipify), Computer name

That’s a pretty comprehensive profile of you and your Discord account, all bundled up and sent off to the attackers.

Discord Session Hijacking — The Really Scary Part

Here’s where things get particularly nasty. VVS Stealer doesn’t just steal your data once and call it a day. It actually injects malicious code directly into your Discord application so it can keep watching you.

The process works like this:

  1. First, it kills any running Discord processes
  2. Then it downloads an obfuscated JavaScript file (injection-obf.js) from a remote server
  3. This malicious script gets injected into Discord’s core files
  4. Finally, it restarts Discord with the compromised code in place

The injected code is designed to monitor specific actions you take. Whenever you view your backup codes, change your password, or add a new payment method, the malware captures that information and sends it straight to the attackers. It even uses Chrome DevTools Protocol to snoop on your network traffic within Discord.

So even if you change your password after getting infected, they’ll know the new one too. Yikes.

Browser Data Extraction

Discord isn’t the only target. VVS Stealer also goes after your web browsers — and it’s not picky about which ones. Here’s the full list of browsers it targets:

TARGETED_BROWSERS = [
    "Chrome", "Edge", "Firefox", "Brave", "Opera",
    "Vivaldi", "Yandex", "7Star", "Amigo", "CentBrowser",
    "Epic Privacy Browser", "Iridium", "Kometa", 
    "Lightcord", "Orbitum", "Sputnik", "Torch", "Uran"
]

From each of these browsers, it tries to extract:

  • Autofill data — your saved addresses, names, phone numbers
  • Cookies — which can be used to hijack your sessions on other websites
  • Browsing history — everywhere you’ve been online
  • Saved passwords — the big one

All of this browser data gets compressed into a ZIP file named <YOUR_USERNAME>_vault.zip and shipped off through Discord webhooks.

How It Sticks Around

VVS Stealer wants to make sure it survives a reboot. It copies itself to your Windows Startup folder:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

This means every time you log into Windows, the malware fires up again and continues doing its thing. Even if you reinstall Discord or clear your browsers, it’ll just start collecting fresh data.

The Fake Error Trick

Here’s a clever bit of social engineering. After the malware does its initial dirty work, it pops up a fake error message using Windows’ MessageBoxW function. The message claims there’s been a “Fatal Error” with error code 0x80070002 and suggests you restart your computer.

It’s a distraction tactic. While you’re scratching your head about this “error” and maybe restarting your PC (which actually helps the malware establish persistence), all your data has already been stolen and sent off.

The Pyarmor Problem: Why This Malware is Hard to Detect

One of the main reasons VVS Stealer has been so effective is its use of Pyarmor, a commercial tool designed to protect Python code. Normally, Pyarmor is used by legitimate developers who want to keep their proprietary code safe. But malware authors have figured out it’s also great for hiding malicious code from security scanners.

Here’s how the protection layers stack up:

flowchart TB subgraph "VVS Stealer Protection Layers" A[Layer 1: PyInstaller Package] --> B[Layer 2: Pyarmor v9.1.4 Pro Runtime] B --> C[Layer 3: AES-128-CTR Encrypted Bytecode] C --> D[Layer 4: BCC Mode - C Compiled Functions] D --> E[Layer 5: Encrypted Strings] end subgraph "What Security Researchers Had To Do" F[1. Extract from PyInstaller] --> G[2. Decompile Python Bytecode] G --> H[3. Extract AES Keys from Runtime] H --> I[4. Decrypt Pyarmor Protection] I --> J[5. Recover Original Malicious Code] end

Breaking Down the Obfuscation

The sample that researchers analyzed was packaged with PyInstaller (which bundles Python apps into standalone executables) and protected with Pyarmor version 9.1.4 Pro. That “Pro” designation matters — it means the malware authors paid for the premium version with extra protection features.

Here’s what each protection layer does:

String Encryption: Any text string longer than 8 characters gets encrypted with AES-128-CTR. This means security tools can’t just scan for suspicious strings like “discord” or “password” — they’re all scrambled.

Bytecode Encryption: The actual Python instructions are encrypted between special markers. You can’t just decompile it and read the code.

BCC Mode: This is the really tricky one. BCC (likely “ByteCode-to-Compilation”) takes Python functions and converts them into C code, which then gets compiled into machine instructions. It’s like translating a book into another language, then shredding the original — you can still figure out what it said, but it takes a lot more work.

The Deobfuscation Journey

Security researchers had to go through several steps to actually analyze this malware:

  1. Extract from PyInstaller using the pyi-archive_viewer utility
  2. Restore the bytecode header (PyInstaller strips it out)
  3. Decompile with Pycdc to get somewhat readable Python
  4. Extract AES keys from the Pyarmor runtime DLL
  5. Decrypt the protected code using those keys

The encryption key they found was 273b1b1373cf25e054a61e2cb8a947b8 — tied to the specific Pyarmor license (number 007444) that the malware authors used.

Oh, and there’s one interesting detail: the malware has a built-in expiration date of October 31, 2026. After that, it’ll just stop working. Apparently even malware has an end-of-life date.

Technical Indicators for Security Folks

If you’re a security professional trying to detect or analyze VVS Stealer, here are some things to look for:

User-Agent String (hardcoded in all HTTP requests):

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36

Pyarmor Indicators:

  • Version: 9.1.4 Pro
  • License Number: 007444
  • Build Timestamp: 2025-04-27T11:04:52.523525

File Indicators:

  • Creates ZIP files named <USERNAME>_vault.zip
  • Drops files in the Windows Startup folder
  • Modifies Discord’s discord_desktop_core directory

Network Indicators:

  • Exfiltration via Discord webhook POST requests
  • JSON-formatted data payloads
  • Queries to ipify service for IP detection

How to Protect Yourself

Okay, so how do you actually stay safe from something like this? Here are some practical steps:

Be careful what you download. This is the big one. VVS Stealer typically spreads through social engineering — someone sends you a “cool tool” or “free game hack” on Discord or Telegram, and it turns out to be malware. If something seems too good to be true, it probably is.

Keep your security software updated. Yes, this malware uses fancy obfuscation, but security vendors are constantly updating their detection capabilities. Make sure your antivirus is current and actually running.

Use two-factor authentication on Discord. Enable 2FA with an authenticator app (not SMS). It won’t completely protect you if your session gets hijacked, but it adds another hurdle for attackers.

Check your Discord authorized apps regularly. Go to User Settings → Authorized Apps and remove anything you don’t recognize. Do this periodically, not just when you suspect something’s wrong.

Consider using a dedicated password manager. Browser-stored passwords are a prime target for stealers like this. A standalone password manager usually has additional security measures that make extraction harder.

Be skeptical of unexpected error messages. If you run something new and immediately get a weird error asking you to restart, that’s a red flag. The actual program might have done its damage already.

Monitor for unusual activity. Keep an eye out for unexpected logouts, password change notifications you didn’t initiate, or friends telling you your account is acting weird.

The Bigger Picture

VVS Stealer is part of a growing trend of malware specifically targeting communication platforms like Discord. As Discord has become the go-to hangout for gaming communities, crypto groups, and countless other online communities, it’s become an attractive target for cybercriminals.

The use of commercial tools like Pyarmor for obfuscation shows that malware authors are getting more sophisticated. They’re essentially using the same protection techniques that legitimate software developers use — just for much less legitimate purposes.

For Discord and other platforms, this means there’s pressure to implement stronger protections against token theft and session hijacking. For users, it means staying vigilant about what you download and being aware that threats like this exist.

The cat-and-mouse game between attackers and defenders continues. Security researchers find ways to deobfuscate malware, and malware authors find new ways to hide their code. In the meantime, the best thing you can do is practice good security hygiene and keep your guard up.

Stay safe out there.

Source: Palo Alto Networks Unit 42 - VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion