The Discord Hijacker: VVS Stealer Uses PyArmor to Evade EDR
A detailed technical analysis of the malware known as VVS Stealer, also referred to as VVS $tealer, has surfaced online. This data-stealing tool is written in Python and primarily targets Discord users. It siphons tokens, credentials, and browser data, and is also capable of hijacking active sessions. The malware was aggressively promoted via Telegram and has been sold since at least April 2025, with development appearing particularly active for a period of time.
Researchers from Palo Alto Networks’ Unit 42 note that VVS Stealer’s defining characteristic is its sophisticated obfuscation strategy. The malware’s code is protected using PyArmor, a Python obfuscation tool originally intended for legitimate intellectual property protection. In this case, however, it is employed to significantly complicate analysis and evade signature-based security defenses. Combined with Python’s accessibility for attackers, this makes VVS Stealer an effective and stealthy malware family.
The malware is distributed as a PyInstaller bundle containing embedded Python bytecode. Analysts painstakingly extracted the payload, reconstructed the correct .pyc file headers, and decompiled the code to recover readable Python source. Further complexity arises from PyArmor’s BCC mode, in which portions of Python functions are translated into C code and compiled into machine instructions stored in a separate ELF file. The linkage between the Python code and these compiled functions is deliberately and carefully obscured.
Once all layers of obfuscation were removed, it became clear that VVS Stealer possesses an extensive feature set. Its primary focus is locating encrypted Discord tokens within LevelDB files, decrypting them using Windows system mechanisms, and then leveraging them to interact with the Discord API. This allows the malware to harvest detailed account information, including email addresses, phone numbers, friend lists, servers, Nitro subscription status, payment methods, and two-factor authentication settings. All collected data is exfiltrated to the attackers via Discord webhooks.
Particularly noteworthy is the malware’s ability to inject itself into the Discord client. It terminates running Discord processes, replaces JavaScript files, and implants an obfuscated script that monitors user activity. This script can intercept password changes, the addition of payment details, and the viewing of backup codes, quietly transmitting this information to the attacker. Discord is then relaunched, and the user typically remains unaware of any tampering.
Beyond Discord, VVS Stealer harvests data from a wide range of popular browsers, including Chrome, Edge, Firefox, Opera, Brave, Vivaldi, and Yandex Browser. It extracts passwords, cookies, browsing history, and autofill data, compresses them into an archive, and sends them through the same exfiltration channel. To maintain persistence, the malware copies itself into the Windows startup directory, allowing it to survive system reboots and even Discord reinstallation.
To further conceal its activity, VVS Stealer displays a fake critical error message prompting the user to restart the computer. This creates the illusion of a system malfunction and diverts attention from the malware’s real operations. Notably, the sample includes a built-in kill date and ceases execution after the end of October 2026.
Researchers emphasize that VVS Stealer starkly illustrates how legitimate code-protection tools are increasingly repurposed to create stealthy, hard-to-analyze malware. Its emergence is yet another warning sign for security professionals, underscoring the need for heightened monitoring of credential theft and account compromise across widely used online services.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
