Pyarmor-obfuscated VVS Stealer targets Discord, browser data

The VVS Stealer malware-as-a-service (MaaS), which targets Discord users and leverages the legitimate Pyarmor tool for obfuscation, was recently decoded for a technical analysis by Palo Alto Networks’ Unit 42.

The analysis, published Friday, revealed new details about the stealer’s stealth methods and described how the malware targets Discord and browser data, including by injecting a script to intercept active Discord sessions.

Pyarmor is a legitimate tool for obfuscating Python scripts, which the VVS Stealer developers used to prevent static and signature-based analysis of the malware.

Files contained within the PyInstaller package the malware sample was distributed as revealed that the attackers used the Pro version of Pyarmor and also exposed their unique license number.

Pyarmor uses AES-128-CTR encryption to obfuscate the Python bytecode; it also includes a mode called ByteCode-to-Compilation (BCC) that provides further obfuscation by converting most Python functions into their equivalent C functions, which are compiled into machine instructions and then called at runtime. These C functions are stored in a separate ELF file alongside the Pyarmor-protected bytecode, Palo Alto found.

The researchers leveraged methods from the open-source Pyarmor Static Unpack One-Shot Tool, which is a fork of the pycdc Python bytecode decompiler, to help extract the necessary AES key and AES nonce to decrypt the obfuscated bytecode.

The AES key is extracted from the Pyarmor runtime dynamic-link library included in the PyInstaller package and tied to each unique Pyarmor license number. The AES nonce, by contrast, is tied to each specific payload, and is XORed using 12 bytes at the end marker of the obfuscated bytecode.

The researchers also used open-source Pyarmor v8+ tooling to map Python constants to BCC functions, helping them recover the original Python methods from the contents of the ELF file.

Strings longer than eight characters were also found to be AES-128-CTR encrypted, using the same AES key, but a separate nonce retrieved from the Pyarmor runtime DLL using the Pyarmor Static Unpack One-Shot Tool. This nonce was specific to the unique license number, rather than the individual payload.

What Discord data is targeted by Pyarmor?

After stripping away the different layers of the malware’s Pyarmor obfuscation, the researchers further analyzed the stealer’s capabilities. The malware first targets encrypted Discord tokens stored in the LevelDB directory, decrypts the encrypted_key value found in the Local State file via the Data Protection Application Programming Interface (DPAPI), then uses this decrypted AES key to decrypt the Discord tokens, the researchers wrote.

The tokens are used to query several Discord API endpoints, which return user information including payment methods, user ID and username, email and phone number, multi-factor authentication (MFA) status, IP address and more. These details are exfiltrated in JSON format via HTTP POST requests to webhook endpoints, allowing them to be uploaded to the attacker’s own Discord channels.

The malware intercepts additional Discord data using a JavaScript payload placed in the Discord application directory, which uses event hooks to monitor whenever the user performs actions such as viewing their backup codes, changing their password or adding a new payment method. These event hooks trigger additional data collection functions. The injected JavaScript code was noted to be obfuscated using Obfuscator.io, which was decoded using the Obfuscator.io Deobfuscator tool.

In addition to targeting Discord data, VVS Stealer also targets Chromium-based and Firefox browsers, extracting autofill data, cookies, browser history and passwords. This data is compressed into a ZIP archive and exfiltrated in a similar manner to the Discord details.

VVS Stealer establishes persistence by copying itself to the Startup folder, surviving system reboots and reinstallations of the Discord application. The malware also has the ability to display fake error messages using the MessageBoxW function via the Win32 API, which serve to distract the victim.

The VVS stealer MaaS has been marketed via Telegram since at least April 2025, with its developers advertising upcoming features including cryptocurrency wallet theft and fully undetectable status, claiming the malware is currently only detected by three out of 73 antivirus products. Pricing options for the MaaS include a €20 ($23.44) monthly subscription, €90 ($105.47) yearly subscription or €199 ($233.21) lifetime license.

“VVS stealer demonstrates how tools like Pyarmor, which can be used for legitimate purposes, can also be leveraged to build stealthy malware aimed at hijacking credentials for popular platforms such as Discord. Its emergence signals a need for defenders to strengthen monitoring around credential theft and account abuse,” Unit 42’s analysis concludes.