Discord users are currently facing a significant cybersecurity threat from a sophisticated piece of malware known as VVS Stealer. This information-stealing program, written in Python, is designed to pilfer sensitive account credentials and active session tokens from unsuspecting users. The malware was actively marketed on Telegram as early as April, boasting capabilities to steal Discord data, intercept active user sessions through injection techniques, and extract detailed information from web browsers.
According to cybersecurity researchers, VVS Stealer poses a serious risk due to its blend of accessible Python development with advanced obfuscation methods. Distributed as a PyInstaller package, it further employs Pyarmor version 9.1.4 (Pro) to obscure its code. This dual approach makes it notably difficult for standard security tools to detect and analyze effectively. When a victim executes an infected file, VVS Stealer immediately begins its data exfiltration process.
VVS Stealer Targets Discord Credentials and Browser Data
The primary objective of VVS Stealer is to gather a comprehensive array of user data directly from Discord. This includes Discord tokens, account details such as usernames, email addresses, and phone numbers, payment methods, user IDs, friend lists, and server memberships. The malware also checks for the presence of two-factor authentication, potentially identifying users with weaker security configurations. This sensitive data is then communicated to attackers via Discord webhooks, a method that allows for straightforward message posting without requiring bot authentication credentials.
Beyond simply stealing existing Discord data, VVS Stealer actively compromises the application itself. Upon execution, it terminates any running Discord processes before injecting a malicious JavaScript payload into the Discord application’s directory. This injected code, built on the Electron framework, enables the malware to monitor network traffic using the Chrome DevTools Protocol. It intercepts critical user actions, such as viewing backup codes, changing passwords, or initiating payment method additions. Event hooks are created to automatically capture and transmit user account and billing information whenever these actions occur.
The infection extends to broader online activity by targeting multiple popular web browsers. VVS Stealer extracts autofill data, cookies, browsing history, and saved passwords from browsers including Chrome, Firefox, Edge, Brave, Opera, and Yandex. All aggregated browser data is compressed into a single ZIP file, uniquely named with the victim’s username. This compressed archive is then sent to attackers via HTTP POST requests directed at pre-configured webhook endpoints, ensuring a wide net for data collection.
Persistence and Advanced Evasion Techniques
To ensure continued operation and data theft, VVS Stealer employs a stealthy persistence mechanism. It copies itself into the Windows Startup folder, guaranteeing that it launches automatically every time the computer boots up. This ensures that even if a user reinstalls Discord or changes their passwords, the malware remains active and continues its exfiltration activities. This persistent threat vector highlights the importance of robust endpoint security solutions.
Technical Breakdown of the VVS Stealer Infection Mechanism
Researchers have analyzed a specific sample of VVS Stealer, identified by the SHA-256 hash c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07, which is set to expire after October 31, 2026. The malware leverages PyInstaller to package its Python code and dependencies into a standalone executable. Key components were successfully extracted using the PyInstaller utility, revealing the Python bytecode file named vvs, a Pyarmor runtime DLL file (pyarmor_runtime.pyd), and configuration details including a license number and timestamp.
To further obscure its activities, VVS Stealer utilizes AES-128-CTR encryption. The encryption key, 273b1b1373cf25e054a61e2cb8a947b8, was located within the Pyarmor runtime DLL. A nonce XOR key, which is unique to each payload, is generated to facilitate the encryption process. Network requests made by the malware consistently use the user-agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36.
The malware employs a specific method to locate and decrypt Discord tokens. It searches for encrypted tokens within .ldb or .log files located in the LevelDB directory, specifically looking for those beginning with the prefix dQw4w9WgXcQ:. Regular expressions are used for this search. Once identified, these tokens are decrypted using the Windows Data Protection API, allowing attackers to gain unauthorized access to user accounts and potentially linked financial information.