Cybersecurity researchers have disclosed details of a new Python-based information stealer called VVS Stealer (also styled as VVS $tealer) that's capable of harvesting Discord credentials and tokens.
The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42.
"VVS stealer's code is obfuscated by Pyarmor," researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said. "This tool is used to obfuscate Python scripts to hinder static analysis and signature-based detection. Pyarmor can be used for legitimate purposes and also leveraged to build stealthy malware."
Advertised on Telegram as the "ultimate stealer," it's available for €10 ($11.69) for a weekly subscription. It can also be purchased at different pricing tiers: €20 ($23) for a month, €40 ($47) for three months, €90 ($105) for a year, and €199 ($232) for a lifetime license, making it one of the cheapest stealers for sale.
According to a report published by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking threat actor, who is also active in stealer-related Telegram groups such as Myth Stеaler and Еуes Steаlеr GC.
The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller package. Once launched, the stealer sets up persistence by adding itself to the Windows Startup folder to ensure that it's automatically launched following a system reboot.
It also displays fake "Fatal Error" pop-up alerts that instruct users to restart their computers to resolve an error and steal a wide range of data -
- Discord data (tokens and account information)
- Web browser data from Chromium and Firefox (cookies, history, passwords, and autofill information)
- Screenshots
VVS Stealer is also designed to perform Discord injection attacks so as to hijack active sessions on the compromised device. To achieve this, it first terminates the Discord application, if it's already running. Then, it downloads an obfuscated JavaScript payload from a remote server that's responsible for monitoring network traffic via the Chrome DevTools Protocol (CDP).
"Malware authors are increasingly leveraging advanced obfuscation techniques to evade detection by cybersecurity tools, making their malicious software harder to analyze and reverse-engineer," the company said. "Because Python is easy for malware authors to use and the complex obfuscation used by this threat, the result is a highly effective and stealthy malware family."
The disclosure comes as Hudson Rock detailed how threat actors are using information stealers to siphon administrative credentials from legitimate businesses and then leverage their infrastructure to distribute the malware via ClickFix-style campaigns, creating a self-perpetuating loop.
"A significant percentage of domains hosting these campaigns are not malicious infrastructure set up by attackers, but legitimate businesses whose administrative credentials were stolen by the very infostealers they are now distributing," the company said.
