A technical analysis by Palo Alto Networks Unit 42 found that a Python based malware family called VVS stealer, marketed on Telegram as early as April 2025, targets Discord users and exfiltrates account tokens and browser data including saved passwords.
KEY FACTS
- Incident VVS stealer targets Discord accounts and web browsers to harvest tokens and credentials
- Delivery Advertised for sale on Telegram from April 2025
- Obfuscation Packaged with PyInstaller and protected by Pyarmor with BCC mode and AES 128 CTR encryption
- Exfiltration Sends data via HTTP POST to Discord webhook endpoints
The analyzed sample was a PyInstaller package that included a Pyarmor runtime indicating version 9.1.4 and a Python 3.11 runtime. Pyarmor protection wrapped encrypted bytecode and encrypted string constants and included a compiled ELF with BCC functions that implement parts of the original logic.
The malware searches LevelDB files for encrypted Discord tokens with the known prefix, decrypts the encrypted_key from the browser Local State via the Windows DPAPI and uses AES GCM to recover tokens. Decrypted tokens are used to query Discord API endpoints for user and billing information and the data are exfiltrated in JSON format to predefined webhook URLs.
For persistence and active session hijacking the sample kills Discord processes, drops an obfuscated JavaScript payload into the Discord ASAR application files, hooks application events and restarts Discord via its updater. The sample also copies itself to the Windows Startup folder and displays a fake fatal error dialog to the user.
Protections listed include Advanced WildFire, Advanced URL Filtering and DNS Security and endpoint prevention from Cortex XDR and XSIAM. For urgent matters use the incident response contact information provided in the report.
WHY IT MATTERS
The combination of common Python packaging and strong obfuscation reduces visibility and increases the effort required to detect and analyse the threat. Compromised Discord tokens and harvested browser credentials can enable account takeover and payment misuse.