A new Python based information stealer named VVS Stealer can harvest Discord credentials and tokens and extract browser data. The tool has been offered for sale on Telegram since April 2025 with subscription tiers starting at €10 per week.
KEY FACTS
- Incident A Python based information stealer targeting Discord credentials and tokens
- Delivery Distributed as a PyInstaller package and sold on Telegram
- Persistence Installs itself in the Windows Startup folder
- Capabilities Exfiltrates Discord tokens, browser cookies, passwords and screenshots
A technical analysis by Palo Alto Networks Unit 42 found that VVS Stealer is a PyInstaller packaged Python stealer whose code is obfuscated by Pyarmor and that it was offered for sale on Telegram from April 2025.
The stealer establishes persistence by copying itself to the Windows Startup folder and displays fake “Fatal Error” pop ups that prompt a restart. It collects Discord tokens and account information and extracts browser cookies, history, saved passwords and autofill data. The malware also captures screenshots.
To hijack active sessions the code first terminates the Discord application then downloads an obfuscated JavaScript payload that monitors network traffic via the Chrome DevTools Protocol and performs injection into the Discord process.
The malware is marketed on Telegram with subscription tiers ranging from €10 per week to €199 for a lifetime license. Its low price and heavy obfuscation increase accessibility for less experienced attackers.
WHY IT MATTERS
Targeting session tokens and saved credentials can enable account takeovers and allow attackers to use compromised infrastructure to distribute further malware. Users and organizations should secure credentials, monitor for unauthorized sessions and apply endpoint protections.