VVS Stealer Malware Hijacks Discord Accounts Using Python

Cybersecurity experts have identified a new and dangerous piece of malware, known as VVS Stealer, which is actively compromising Discord accounts. This Python-based information stealer is being sold on underground platforms and uses sophisticated obfuscation to hide from security tools, making it a significant threat to both individual users and organizations.

The malware, also advertised as VVS $tealer, has been available for purchase on Telegram since at least April 2025. Research indicates it is being offered at a very low cost, with a weekly subscription priced at just €10. This affordability makes it accessible to a wide range of threat actors. The pricing structure includes €20 for a month, €40 for three months, €90 for a year, and a €199 lifetime license, positioning it as one of the most economical stealers currently on the market.

Analysts believe the stealer is the creation of a French-speaking cybercriminal who is also active in other stealer-focused Telegram communities. To evade detection, the malware’s code is protected using Pyarmor, a tool that obfuscates Python scripts. While Pyarmor has legitimate uses for protecting software, malware authors exploit it to hinder static analysis and make their creations more stealthy.

Distributed as a PyInstaller package, VVS Stealer establishes persistence on an infected Windows machine by adding itself to the Startup folder. This ensures the malware automatically runs after every system reboot. As part of its infection routine, it displays deceptive “Fatal Error” pop-up messages, tricking users into restarting their computers under the guise of fixing a problem.

Once active, the stealer harvests a wide array of sensitive data from the compromised system. Its primary targets include Discord tokens and account information, which allow attackers to hijack user sessions. It also extracts data from web browsers like Chrome and Firefox, collecting cookies, browsing history, saved passwords, and autofill details. Additionally, the malware can capture screenshots.

A particularly aggressive feature of VVS Stealer is its ability to perform Discord injection attacks. To hijack an active session, the malware first terminates the Discord application if it is running. It then downloads a malicious, obfuscated JavaScript payload from a remote server. This payload uses the Chrome DevTools Protocol to monitor network traffic, enabling the theft of credentials and session data in real-time.

The emergence of VVS Stealer is part of a broader, troubling trend where threat actors use information stealers to create self-sustaining attack cycles. Recent reports detail how criminals use these tools to steal administrative credentials from legitimate companies. They then abuse that company’s infrastructure to distribute more malware, often through deceptive “ClickFix”-style campaigns. This creates a vicious loop where the very businesses victimized by stealers become unwitting platforms for further attacks.

The use of Python, combined with advanced obfuscation, presents a clear challenge for defenders. The language’s accessibility allows even less-skilled threat actors to develop potent malware, while obfuscation techniques like Pyarmor make analysis and detection significantly more difficult for security teams. This combination results in a highly effective and evasive family of malware that underscores the need for robust, behavior-based security measures.

(Source: The Hacker News)