VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

Jan. 2, 2026, 4:32 p.m.

Description

VVS stealer is a Python-based malware targeting Discord users to exfiltrate sensitive information like credentials and tokens. It employs Pyarmor for obfuscation and detection evasion. The stealer's capabilities include stealing Discord data, intercepting active sessions, extracting browser data, and achieving persistence. Its code is heavily obfuscated using Pyarmor's BCC mode and AES-128-CTR encryption. The analysis reveals the stealer's ability to decrypt encrypted Discord tokens, query Discord APIs for user information, inject malicious JavaScript into the Discord application, and extract data from various web browsers. The malware also implements startup persistence and displays a fake error message to deceive victims.

External References

https://unit42.paloaltonetworks.com/vvs-stealer/
https://otx.alienvault.com/pulse/6957cada0b3b5b7d427864c1
Tags
obfuscation
python
infostealer
persistence
encryption
discord
browser data theft
2026-01-02
pyarmor
vvs stealer

Date

  • Created: Jan. 2, 2026, 1:40 p.m.
  • Published: Jan. 2, 2026, 1:40 p.m.
  • Modified: Jan. 2, 2026, 4:32 p.m.

Indicators

  • c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07
  • 307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87
  • 7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b
Download all indicators here!

Attack Patterns