Discord customers are going through a rising risk from VVS Stealer, a Python-based information-stealing malware that targets delicate account information, together with credentials and tokens.
This stealer was actively marketed on Telegram as early as April 2025, selling its skill to steal Discord information, intercept energetic classes by way of injection, and extract internet browser info comparable to cookies, passwords, searching historical past, and autofill particulars.
The malware is distributed as a PyInstaller package deal and makes use of Pyarmor model 9.1.4 (Professional) to cover its code, making it tougher for safety instruments to detect and analyze.
Palo Alto Networks researchers famous that VVS Stealer represents a critical risk as a result of it combines the benefit of Python growth with superior hiding methods.
The malware authors have created an efficient and stealthy software that may bypass many conventional safety measures.
When a sufferer runs the contaminated file, VVS Stealer begins gathering Discord tokens, account info, cost strategies, consumer IDs, usernames, e-mail addresses, cellphone numbers, mates lists, server memberships, and even checks if two-factor authentication is enabled.
The stolen information is distributed to attackers by way of Discord webhooks, that are easy channels for posting messages without having bot authentication.
Overview of the workflow for analyzing the VVS stealer malware pattern (Supply – Palo Alto Networks)
After stealing preliminary Discord information, the malware takes management by killing any working Discord processes and injecting a dangerous JavaScript payload into the Discord utility listing.
This injection permits VVS Stealer to observe community site visitors utilizing the Chrome DevTools Protocol and intercept necessary consumer actions like viewing backup codes, altering passwords, or including cost strategies.
The injected code is constructed on the Electron framework and creates occasion hooks that robotically acquire and ship consumer account and billing info each time these actions happen.
The stealer additionally targets a number of internet browsers, together with Chrome, Firefox, Edge, Courageous, Opera, and Yandex.
From these browsers, it extracts autofill information, cookies, searching historical past, and saved passwords. All collected browser information is compressed right into a single ZIP file named with the sufferer’s username and despatched to attackers by way of HTTP POST requests to predefined webhook endpoints.
Equal Python code of the get_encryption_key methodology (Supply – Palo Alto Networks)
To keep up entry, VVS Stealer copies itself to the Home windows Startup folder, making certain it runs each time the pc begins. This persistence mechanism permits the malware to proceed stealing information even when the sufferer reinstalls Discord or modifications their passwords.
Technical Breakdown of the An infection Mechanism
The malware pattern analyzed by researchers has the SHA-256 hash c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07 and expires after October 31, 2026.
Injected JS configuration and exfiltration (Supply – Palo Alto Networks)
The stealer makes use of PyInstaller to bundle Python code and dependencies right into a single executable file.
Safety researchers extracted key elements utilizing the built-in pyi-archive_viewer utility, together with the Python bytecode file named vvs, the Pyarmor runtime DLL file pyarmor_runtime.pyd, and configuration particulars exhibiting license quantity 007444 and timestamp 2025-04-27T11:04:52.523525.
To cover its operations, VVS Stealer makes use of AES-128-CTR encryption with particular keys and values.
The encryption key 273b1b1373cf25e054a61e2cb8a947b8 was extracted from the Pyarmor runtime DLL, whereas the nonce XOR key 2db99d18a0763ed70bbd6b3c is restricted to every payload.
A pretend message field instructing the sufferer to restart the pc (Supply – Palo Alto Networks)
All community requests use the mounted Person-Agent string: Mozilla/5.0 (Home windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36.
The malware searches for encrypted Discord tokens that start with dQw4w9WgXcQ: utilizing common expressions in .ldb or .log recordsdata inside the LevelDB listing, then decrypts them utilizing the Home windows Knowledge Safety API.
Observe us on Google Information, LinkedIn, and X to Get Extra Immediate Updates, Set CSN as a Most well-liked Supply in Google.
