VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion. Bitdefender among major AVs still unable to detect it.

[Khushal]

Content source

https://unit42.paloaltonetworks.com/vvs-stealer/

This technical analysis of the VVS stealer (aka VVS $stealer) examines its use of the legitimate tool Pyarmor for obfuscation and detection evasion, as well as its methods for targeting Discord users and exfiltrating sensitive information.

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

VVS stealer (or VVS $tealer) is a Python-based infostealer targeting Discord users. It employs Pyarmor for obfuscation, contributing to its efficacy.

unit42.paloaltonetworks.com

 

[Bot]

This technical analysis of the VVS stealer (aka VVS $stealer) examines its use of the legitimate tool Pyarmor for obfuscation and detection evasion, as well as its methods for targeting Discord users and exfiltrating sensitive information.

VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

VVS stealer (or VVS $tealer) is a Python-based infostealer targeting Discord users. It employs Pyarmor for obfuscation, contributing to its efficacy.

unit42.paloaltonetworks.com

View attachment 294266

This Unit 42 write-up (published January 2, 2026) is a solid example of “dual-use” tooling being abused: VVS $tealer is Python-based, packaged via PyInstaller, and heavily protected with Pyarmor to slow analysis and evade simple static/signature detections. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))

What stands out in the analysis

1) Obfuscation & evasion via Pyarmor

• The sample is a PyInstaller bundle; Unit 42 extracts the embedded Python bytecode and the Pyarmor runtime (including version/license artifacts) as part of reversing it. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• Pyarmor protections discussed include BCC mode (converting portions of Python logic into compiled native code) and AES-based encryption of bytecode/strings, which significantly raises the cost of static analysis. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• The analyzed sample includes an expiration/kill condition (it stops working after 2026-10-31 23:59:59) and uses a fixed browser-like User-Agent for HTTP requests. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))

2) Discord-focused theft + session hijacking

• It hunts for Discord tokens in LevelDB-related files, then decrypts tokens using DPAPI-derived material and AES-GCM logic as described by Unit 42. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• Stolen tokens are used to query Discord API endpoints for extensive account data (email/phone, billing/payment methods, MFA status, guilds/friends, etc.), and it even pulls the victim IP via ipify. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• Exfiltration is done via HTTP POST to attacker-controlled Discord webhook endpoints (including an env var %WEBHOOK% plus hard-coded fallbacks). ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• It also performs Discord “injection”: kills Discord processes, drops/updates an obfuscated JS payload, and restarts Discord. The injected JS monitors traffic (via Chrome DevTools Protocol) and hooks user actions like viewing backup codes, changing password, or adding payment methods to capture additional sensitive info. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))

3) Browser data theft + persistence

• Targets many Chromium-family browsers (plus Firefox and Discord/Lightcord, etc.) and steals autofill, cookies, history, and passwords. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• Collected browser data is compressed into a ZIP named “<USERNAME>_vault.zip” and exfiltrated via the same webhook/HTTP POST mechanism. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• Persistence: it copies itself into the user’s Startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))
• It can show a fake fatal error prompt to mislead the victim while it runs. ([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))

Defender takeaways (practical)

• If you suspect exposure: immediately rotate Discord password, revoke/refresh sessions/tokens (log out all sessions), and ensure MFA is enabled; also review/remove any newly added payment methods and regenerate backup codes.
• For endpoint triage: check the Startup folder persistence location noted above, and hunt for unusual Discord “core” modifications/injection artifacts (unexpected JS changes under Discord install directories).
• Network-side: monitor for outbound HTTP POST activity to Discord webhook endpoints from endpoints that shouldn’t be posting to webhooks, and treat such traffic as high-signal in many environments.

Indicators of Compromise (from the article)

• SHA-256:
  • 307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87
  • 7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b
  • c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07
• Discord webhook URLs (defanged):
  • hxxps[://]ptb.discord[.]com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2
  • hxxps[://]ptb.discord[.]com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0

([unit42.paloaltonetworks.com](https://unit42.paloaltonetworks.com/vvs-stealer/))

 

[Andy Ful]

Although AVs can have detection problems with such malware, almost all are blocked by SmartScreen when downloaded from the Internet and executed.
This is a common situation. If the malware is poorly detected, the attackers often do not bother to use special delivery methods that can bypass SmartScreen. They know that half of the users will ignore SmartScreen alerts,

Edit.
A dangerous combination would be malware in the PyInstaller package delivered via the ClickFix method. The first ensures poor AV detection, and the second bypasses SmartScreen. It is good to be aware of the ClickFix danger and (if necessary) take some countermeasures.

 

[Divergent]

Indicators of Compromise (IOCs)

File Hashes (SHA-256)

`c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07`

`307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87`

`7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b`

Network Indicators (Refanged)

`hxxps[://]ptb.discord[.]com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2`

`hxxps[://]ptb.discord[.]com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0`

Remediation & Recommendations

Terminate & Purge

Immediately kill any unrecognized Python or Discord-related processes. Navigate to and delete any suspicious executables or shortcuts.

`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup`

Clean Discord Install

The malware modifies the core files of the Discord client. You must completely uninstall Discord, ensure the folders are deleted, and then reinstall a fresh copy.

`%LOCALAPPDATA%/Discord` and `%APPDATA%/discord`

Credential Reset

Discord

Reset your password immediately. This invalidates the stolen token.

Browsers

If you saved passwords in your browser, consider them compromised. Reset passwords for all affected accounts, prioritizing email and banking. Enable Multi-Factor Authentication (MFA) everywhere.

Session Invalidation

Log out of all active sessions for critical services to ensure the attacker cannot use stolen session cookies.

External Technical Research

DeepCode

"Investigating VVS $tealer: A Python-Based Discord Malware" (decode cyber crime[.]com)

Cited in the Unit 42 report for operational investigation details

SANS Internet Storm Center

"Obfuscated Malicious Python Scripts with PyArmor" (isc.sans[.]edu)

Diary entry discussing the rise of Pyarmor in malware.