[ad_1]
Cybersecurity researchers have disclosed particulars of a brand new Python-based data stealer referred to as VVS Stealer (additionally styled as VVS $tealer) that is able to harvesting Discord credentials and tokens.
The stealer is alleged to have been on sale on Telegram way back to April 2025, in keeping with a report from Palo Alto Networks Unit 42.
“VVS stealer’s code is obfuscated by Pyarmor,” researchers Pranay Kumar Chhaparwal and Lee Wei Yeong mentioned. “This instrument is used to obfuscate Python scripts to hinder static evaluation and signature-based detection. Pyarmor can be utilized for professional functions and in addition leveraged to construct stealthy malware.”
Marketed on Telegram because the “final stealer,” it is obtainable for €10 ($11.69) for a weekly subscription. It can be bought at completely different pricing tiers: €20 ($23) for a month, €40 ($47) for 3 months, €90 ($105) for a 12 months, and €199 ($232) for a lifetime license, making it one of many most cost-effective stealers on the market.
In keeping with a report printed by Deep Code in late April 2025, the stealer is believed to be the work of a French-speaking risk actor, who can be energetic in stealer-related Telegram teams similar to Fantasy Stеaler and Еуes Steаlеr GC.
The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller bundle. As soon as launched, the stealer units up persistence by including itself to the Home windows Startup folder to make sure that it is mechanically launched following a system reboot.
It additionally shows pretend “Deadly Error” pop-up alerts that instruct customers to restart their computer systems to resolve an error and steal a variety of knowledge –
- Discord information (tokens and account data)
- Net browser information from Chromium and Firefox (cookies, historical past, passwords, and autofill data)
- Screenshots
VVS Stealer can be designed to carry out Discord injection assaults in order to hijack energetic periods on the compromised machine. To realize this, it first terminates the Discord software, if it is already working. Then, it downloads an obfuscated JavaScript payload from a distant server that is accountable for monitoring community visitors through the Chrome DevTools Protocol (CDP).
“Malware authors are more and more leveraging superior obfuscation methods to evade detection by cybersecurity instruments, making their malicious software program more durable to investigate and reverse-engineer,” the corporate mentioned. “As a result of Python is simple for malware authors to make use of and the complicated obfuscation utilized by this risk, the result’s a extremely efficient and stealthy malware household.”
The disclosure comes as Hudson Rock detailed how risk actors are utilizing data stealers to siphon administrative credentials from professional companies after which leverage their infrastructure to distribute the malware through ClickFix-style campaigns, making a self-perpetuating loop.
“A big share of domains internet hosting these campaigns will not be malicious infrastructure arrange by attackers, however professional companies whose administrative credentials had been stolen by the very infostealers they’re now distributing,” the corporate mentioned.
[ad_2]
