Jan 05, 2026Ravie LakshmananThreat Intelligence / Home windows Safety
Cybersecurity researchers have disclosed particulars of a brand new Python-based info stealer referred to as VVS Stealer (additionally styled as VVS $tealer) that is able to harvesting Discord credentials and tokens.
The stealer is alleged to have been on sale on Telegram way back to April 2025, in accordance with a report from Palo Alto Networks Unit 42.
“VVS stealer’s code is obfuscated by Pyarmor,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong mentioned. “This instrument is used to obfuscate Python scripts to hinder static evaluation and signature-based detection. Pyarmor can be utilized for authentic functions and likewise leveraged to construct stealthy malware.”
Marketed on Telegram because the “final stealer,” it is accessible for €10 ($11.69) for a weekly subscription. It can be bought at totally different pricing tiers: €20 ($23) for a month, €40 ($47) for 3 months, €90 ($105) for a 12 months, and €199 ($232) for a lifetime license, making it one of many most cost-effective stealers on the market.
In accordance with a report printed by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking menace actor, who can also be lively in stealer-related Telegram teams similar to Fable Stеaler and Еуes Steаlеr GC.
The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller bundle. As soon as launched, the stealer units up persistence by including itself to the Home windows Startup folder to make sure that it is routinely launched following a system reboot.
It additionally shows pretend “Deadly Error” pop-up alerts that instruct customers to restart their computer systems to resolve an error and steal a variety of knowledge –
Discord knowledge (tokens and account info)
Net browser knowledge from Chromium and Firefox (cookies, historical past, passwords, and autofill info)
Screenshots
VVS Stealer can also be designed to carry out Discord injection assaults in order to hijack lively periods on the compromised gadget. To realize this, it first terminates the Discord software, if it is already working. Then, it downloads an obfuscated JavaScript payload from a distant server that is liable for monitoring community visitors through the Chrome DevTools Protocol (CDP).
“Malware authors are more and more leveraging superior obfuscation strategies to evade detection by cybersecurity instruments, making their malicious software program more durable to research and reverse-engineer,” the corporate mentioned. “As a result of Python is straightforward for malware authors to make use of and the advanced obfuscation utilized by this menace, the result’s a extremely efficient and stealthy malware household.”
The disclosure comes as Hudson Rock detailed how menace actors are utilizing info stealers to siphon administrative credentials from authentic companies after which leverage their infrastructure to distribute the malware through ClickFix-style campaigns, making a self-perpetuating loop.
“A major share of domains internet hosting these campaigns should not malicious infrastructure arrange by attackers, however authentic companies whose administrative credentials had been stolen by the very infostealers they’re now distributing,” the corporate mentioned.
