Cybersecurity researchers have uncovered a new Python based information stealing malware known as VVS Stealer, also referred to as VVS $tealer, which is actively targeting Discord users by harvesting account credentials and authentication tokens.
According to an analysis published by Palo Alto Networks Unit 42, this stealer has been circulating in underground Telegram channels since at least April 2025. Researchers Pranay Kumar Chhaparwal and Lee Wei Yeong reported that the malware leverages Pyarmor to heavily obfuscate its source code, a technique designed to block static analysis and evade signature based security detection. While Pyarmor has legitimate use cases, threat actors are increasingly abusing it to develop stealthy malware.
VVS Stealer is openly marketed on Telegram as the so called “ultimate stealer” and is sold through a subscription model. Pricing reportedly starts at €10 per week, with longer plans available for monthly, quarterly, yearly, and even lifetime access. This aggressive pricing strategy positions it among the most affordable stealers currently available in the cybercrime ecosystem.
A separate investigation by Deep Code, released in late April 2025, suggests the malware is operated by a French speaking threat actor. The individual is believed to be active across multiple stealer focused Telegram communities, including groups associated with Myth Stealer and Eyes Stealer.
The malware is distributed as a PyInstaller packaged executable. Once executed, it establishes persistence on Windows systems by copying itself into the Startup folder, ensuring automatic execution after a system reboot.
To deceive victims, the malware displays fake “Fatal Error” pop up messages prompting users to restart their systems. During this process, it silently collects a wide range of sensitive data, including Discord tokens and account details, browser information from Chromium and Firefox such as cookies, saved passwords, browsing history, autofill data, and screenshots of the infected system.
VVS Stealer also supports Discord injection attacks aimed at hijacking active user sessions. It begins by forcefully closing the Discord application if it is running, then downloads an obfuscated JavaScript payload from a remote server. This payload monitors network traffic using the Chrome DevTools Protocol (CDP), allowing attackers to intercept sensitive session data.
Security experts warn that malware developers are rapidly advancing their obfuscation techniques to stay ahead of detection mechanisms. The combination of Python’s ease of use and sophisticated code protection has resulted in a highly evasive and effective malware family.
This development follows recent disclosures by Hudson Rock, which highlighted how information stealers are being used to extract administrative credentials from legitimate organizations. Attackers then exploit those compromised environments to host and distribute malware through ClickFix style campaigns, creating a continuous infection cycle. Alarmingly, many of the domains involved in these campaigns belong to real businesses whose systems were compromised by the same stealers they are unknowingly helping to spread.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
