"The stealer is said to have been on sale on Telegram as far back as April 2025, according to a report from Palo Alto Networks Unit 42. "VVS stealer's code is obfuscated by Pyarmor," researchers Pranay Kumar Chhaparwal and Lee Wei Yeong said. "This tool is used to obfuscate Python scripts to hinder static analysis and signature-based detection. Pyarmor can be used for legitimate purposes and also leveraged to build stealthy malware.""
"Advertised on Telegram as the "ultimate stealer," it's available for €10 ($11.69) for a weekly subscription. It can also be purchased at different pricing tiers: €20 ($23) for a month, €40 ($47) for three months, €90 ($105) for a year, and €199 ($232) for a lifetime license, making it one of the cheapest stealers for sale."
"The Pyarmor-protected VVS Stealer malware is distributed as a PyInstaller package. Once launched, the stealer sets up persistence by adding itself to the Windows Startup folder to ensure that it's automatically launched following a system reboot. It also displays fake "Fatal Error" pop-up alerts that instruct users to restart their computers to resolve an error and steal a wide range of data - Discord data (tokens and account information) Web browser data from Chromium and Firefox (cookies, history, passwords, and autofill information) Screenshots"
VVS Stealer is a Python-based information stealer capable of harvesting Discord credentials and tokens, browser data, and screenshots. The malware is obfuscated with Pyarmor and distributed as a PyInstaller package. It establishes persistence by adding itself to the Windows Startup folder and displays fake "Fatal Error" pop-ups that prompt users to restart their computers. The stealer targets Chromium and Firefox browsers to exfiltrate cookies, history, passwords, and autofill data. VVS Stealer can perform Discord injection attacks to hijack active sessions and will terminate the Discord application on the compromised device before injection. Sales on Telegram began in April 2025 with low-cost subscription tiers including weekly, monthly, and lifetime licenses.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]