VVS Stealer

VVS Stealer (also styled “VVS $tealer”) is a Python-based information-stealing malware family targeting Discord users, marketed for sale on Telegram since at least April 2025. It has been analyzed publicly (including by Palo Alto Networks Unit 42) and is distributed as a Windows executable built with PyInstaller, with heavy obfuscation via PyArmor 9.1.4 (Pro) (including AES-128-CTR-protected code/strings and PyArmor BCC mode).

Core capabilities and behavior described in the content:

• Discord credential/token theft: searches LevelDB .ldb/.log artifacts for encrypted Discord tokens (noted prefix “dQw4w9WgXcQ:”), decrypts the Discord “Local State” encrypted_key via Windows DPAPI, then uses AES-GCM to decrypt tokens.
• Discord account reconnaissance: uses stolen tokens to query Discord APIs for extensive account data (e.g., user ID, username, email, phone, locale, MFA status, verification status, Nitro status, friends, guilds/servers, and billing/payment method details). It also retrieves the victim IP via ipify.
• Exfiltration: sends collected data (JSON) and stolen browser data via HTTP POST to attacker-controlled Discord webhook endpoints (supports a %WEBHOOK% environment variable and hard-coded fallback webhook URLs). Uses a fixed User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36".
• Discord client injection/session hijacking: kills running Discord processes and replaces/installs components in the Discord application directory with an obfuscated JavaScript payload (e.g., “injection-obf.js”). The injected code (Electron/Discord context) is described as monitoring network traffic via the Chrome DevTools Protocol and hooking sensitive user actions such as viewing backup codes, changing passwords, and adding payment methods to capture additional account/billing information; Discord is restarted via Update.exe with --processStart.
• Browser data theft: targets multiple browsers (explicitly including Chrome, Edge, Brave, Firefox, Opera, Vivaldi, and Yandex) to steal cookies, saved passwords, history, and autofill data; compresses loot into a ZIP (e.g., “<USERNAME>_vault.zip”) and exfiltrates it.
• Additional behaviors: captures screenshots; displays a fake “Fatal Error” message to mislead victims; establishes persistence by copying itself into the Windows Startup folder.
• Time-limiting: analyzed samples include an embedded expiration date of 2026-10-31 23:59:59 after which the malware terminates.

Indicators explicitly mentioned in the content include:

• Sample SHA-256: c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07
• Token search prefix: dQw4w9WgXcQ:
• Fixed HTTP User-Agent: Chrome/115 UA string as above
• Exfiltration channel: Discord webhook endpoints (including %WEBHOOK% and hard-coded fallbacks)