Overview
- Palo Alto Networks Unit 42 published a full technical breakdown of VVS Stealer’s capabilities on January 5, 2026.
- The Python malware is distributed via PyInstaller and protected with Pyarmor, which researchers deobfuscated to recover code encrypted with AES-128-CTR in BCC mode.
- It locates and decrypts Discord tokens, queries multiple API endpoints for account and billing data, and exfiltrates results to preset webhooks via HTTP POST.
- The stealer terminates the Discord client, injects obfuscated JavaScript, and uses a Chrome DevTools Protocol–based payload to hijack active sessions and monitor activity.
- It also harvests passwords, cookies, history, and autofill from Chromium and Firefox browsers, persists via the Windows Startup folder with fake “Fatal Error” pop-ups, and is sold on Telegram from €10 per week to €199 lifetime with tentative ties to a French-speaking operator.