Full Report
Cybersecurity researchers have disclosed details of a new Python-based information stealer called VVS Stealer (also styled as VVS $tealer) that's capable of harvesting Discord credentials and tokens. The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42. "VVS stealer's code is obfuscated by Pyarmor," researchers
Analysis Summary
# Tool/Technique: VVS Stealer (VVS $tealer)
## Overview
VVS Stealer is a new, commercially available, Python-based information stealer primarily designed to harvest Discord credentials and tokens. It is notable for employing significant obfuscation techniques to evade static analysis.
## Technical Details
- Type: Malware family (Information Stealer)
- Platform: Windows (Inferred by persistence mechanism in Windows Startup folder and targeting of Windows applications like Discord)
- Capabilities: Discord credential/token theft, web browser data exfiltration (passwords, cookies, history), screenshot capture, session hijacking via Discord injection.
- First Seen: On sale on Telegram as early as April 2025.
## MITRE ATT&CK Mapping
Based on observed functionality:
- **TA0009 - Credential Access**
- T1003 - OS Credential Dumping
- T1555 - Credentials from Password Stores
- T1555.003 - Credentials from Web Browsers (For stealing browser data)
- **TA0003 - Persistence**
- T1547 - Boot or Logon Autostart Execution
- T1547.001 - Registry Run Keys / Startup Folder (For adding itself to the Windows Startup folder)
- **TA0006 - Collection**
- T1005 - Data from Local System
- T1115 - Clipboard Data (Implied capability common for stealers, though not explicitly listed, data collection is primary)
## Functionality
### Core Capabilities
- **Data Exfiltration:** Steals Discord tokens/account information, web browser data (passwords, history, cookies, autofill info from Chromium and Firefox).
- **Persistence:** Sets up persistence by adding its executable to the Windows Startup folder to ensure execution upon system reboot.
- **Packaging:** Distributed as a PyInstaller package protecting the Python source code.
### Advanced Features
- **Obfuscation:** Code is heavily obfuscated using **Pyarmor** to hinder static analysis and signature-based detection.
- **User Deception:** Displays fake "Fatal Error" pop-up alerts to users, instructing them to restart their computers to mask malicious activity.
- **Discord Session Hijacking:** Executes a specific technique:
1. Terminates the running Discord application.
2. Downloads an obfuscated JavaScript payload from a remote server.
3. Uses the payload, monitored via the Chrome DevTools Protocol (CDP), to monitor network traffic and hijack active Discord sessions.
## Indicators of Compromise
*Note: Specific IOCs (hashes, IPs, domains) were not provided in the source text and cannot be generated.*
- File Hashes: [Not available]
- File Names: [Inferred to be packaged as an executable (.exe) via PyInstaller]
- Registry Keys: [Likely uses standard entry for Startup Folder persistence, e.g., relevant registry keys mapping to Startup folders]
- Network Indicators: [No specific C2 domains/IPs listed, obfuscated downloads occur]
- Behavioral Indicators:
- Execution persisted via modification of Windows Startup directory/keys.
- Termination of the legitimate Discord process.
- Network traffic monitoring using Chrome DevTools Protocol (CDP) associated with Discord.
## Associated Threat Actors
Reported to be the work of a **French-speaking threat actor**, who is also associated with Telegram groups promoting other stealers like Myth Stеaler and Еуes Steаlеr GC.
## Detection Methods
- Signature-based detection: Hindered due to Pyarmor obfuscation.
- Behavioral detection: Should focus on newly created startup persistence entries, process termination of Discord followed by network activity monitoring via CDP, and file creation from a PyInstaller artifact.
- YARA rules: Potential rules could target structures or strings related to Pyarmor-obfuscated Python bytecode or specific commands related to CDP interaction.
## Mitigation Strategies
- **Application Control:** Prevent execution of unknown or unauthorized Python-packaged executables where possible.
- **Persistence Monitoring:** Regularly audit the Windows Startup folder and associated registry keys for unauthorized entries.
- **Endpoint Detection & Response (EDR):** Implement EDR solutions capable of detecting process injection or unexpected network monitoring triggered after the termination of legitimate applications like Discord.
- **Code Obfuscation Awareness:** Recognize that the use of tools like Pyarmor indicates a significant effort by the adversary to evade automated analysis.
## Related Tools/Techniques
- **Obfuscation Tool:** Pyarmor
- **Malware Families:** General family of Python-based Information Stealers (e.g., Vidar, RedLine, if considering functional similarity), Myth Stеaler, Еуes Steаlеr (associated actor groups).
- **Technique Related:** Use of Chrome DevTools Protocol (CDP) for session hijacking is an advanced technique for credential/token theft.