A new Python-based information stealer called VVS Stealer is capable of harvesting Discord credentials and tokens, cybersecurity researchers say. In fact, the stealer seems to have been specifically designed to steal a victim’s Discord data.
According to a report from Palo Alto Networks Unit 42, the malware is advertised on Telegram as the “ultimate stealer” and has been for sale since April 2025.
VVS Stealer is available for $11.69 for a weekly subscription, and it gets progressively cheaper if it’s purchased for longer periods. Of course, it’s illegal but presumably popular, researchers say, because it has quite successfully evaded detection so far.
“VVS Stealer’s code is obfuscated by Pyarmor. This tool is used to obfuscate Python scripts to hinder static analysis and signature-based detection,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said in the report.
Sure, Pyarmor can be used for legitimate purposes, but it can also be leveraged to build stealthy malware. However, Palo Alto Networks Unit 42 researchers managed to deobfuscate VVS Stealer samples, thereby gaining a better understanding of its operations.
Discord, a popular social messaging and communications platform, is the sole target for the VVS Stealer, specifically designed to steal a victim’s Discord information and browser data. It’s distributed as a PyInstaller package.
Creators of the malware advertise the stealer as being capable of:
- Stealing Discord data (tokens and account information)
- Intercepting active Discord sessions via injection
- Extracting web browser data (cookies, passwords, browsing history, and autofill details)
The stealer also achieves persistence by automatically installing itself on startup, said the researchers. Once launched, the stealer adds itself to the Windows Startup folder to ensure that it’s automatically launched following a system reboot
VVS Stealer operates stealthily by displaying fake “Fatal Error” pop-up messages that instruct users to restart their devices.
“The deobfuscated code revealed a stealer designed not just for data exfiltration, but for active session hijacking and persistence,” the researchers said in the report.
“VVS stealer demonstrates how tools like Pyarmor, which can be used for legitimate purposes, can also be leveraged to build stealthy malware aimed at hijacking credentials for popular platforms such as Discord.”
According to another report published by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking threat actor, who is also active in stealer-related Telegram groups such as Myth Stеaler and Еуes Steаlеr GC.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked