VVS Stealer is a newly observed Python‑based information stealer sold on Telegram. It is obfuscated with Pyarmor, packaged with PyInstaller and persists via the Windows Startup folder. The malware harvests Discord tokens, browser credentials, cookies, history, passwords and screenshots. It can also inject a malicious JavaScript payload to hijack active Discord sessions.
Palo Alto Networks Unit 42 disclosed the malware, noting it has been offered for sale since April 2025. Researchers described its obfuscation technique, distribution model, and functionality including credential theft and Discord injection. The report links the tool to French‑speaking threat actors active in stealer‑focused Telegram groups.
Organizations should monitor for unknown PyInstaller executables and unexpected shortcuts in the Startup folder. Deploy endpoint detection rules for obfuscated Python scripts and suspicious JavaScript payloads. Enforce multi‑factor authentication for Discord and browser accounts and limit administrative privileges that could be abused for credential harvesting.
If VVS Stealer is detected, isolate the affected endpoint, collect memory and file artifacts, and extract IOCs. Remove the malicious startup entry, terminate any injected Discord processes, and force a password reset for compromised accounts. Conduct a full forensic investigation to locate additional stolen credentials and ensure the remote C2 infrastructure is blocked.
