Inside VVS Stealer: Advanced Obfuscation Techniques Evade Detection

Inside VVS Stealer: Advanced Obfuscation Techniques Evade Detection

Introduction
Discord’s become a top social messaging spot—unfortunately, that popularity's turned it into a hacker magnet. Meet VVS stealer (also sold as VVS $tealer), a Python-based malware trained to steal Discord credentials. It first popped up in April 2025 on Telegram cybercrime channels, using fancy evasion tricks to dodge security tools while nabbing Discord tokens, browser histories, and live sessions.

Technical Analysis Overview
We dug into one sample with this SHA-256 hash: c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07. It’s packed in PyInstaller—a legit tool for bundling Python apps, but malware authors use it to hide dependencies. We cracked it open using PyInstaller’s

pyi-archive_viewer

and pulled out:

• Raw Python bytecode (

  vvs

  )
• Pyarmor’s runtime DLL (

  pyarmor_runtime.pyd

  ), licensed to "vvs" under Pyarmor Pro 9.1.4
• Python 3.11.5’s core library (

  python311.dll

  )

Pyarmor mangled the bytecode header (see Figure 3); we had to stitch back Python’s "magic number" manually so it’d decompile right.

Unpacking Pyarmor’s Defense Layers
VVS’s creators turned Pyarmor—a commercial protection tool—against analysts. Here’s how they did it:

1. Bytecode Encryption: Chunks of payload get locked with AES-128-CTR (key:

   273b1b1373cf25e054a61e2cb8a947b8

   ). Look for

   __pyarmor_enter_*__

   and

   __pyarmor_exit__

   markers to spot the encrypted sections (Table 2).
2. BCC Mode Optimization: Critical functions, like

   get_encryption_key()

   , compiled into native C code (

   --enable-bcc

   ). Those ELF files? Nightmares to disassemble.
3. Strings Protection: Encrypted strings wear a

   0x81

   prefix. They decrypt dynamically using runtime-generated nonces.

It’s a devious twist: Pyarmor morphs Python—usually a beginner-friendly language—into a malware stealth tool. Legitimate software masking malicious intent? Attribution gets messy.

Revealing VVS Stealer’s Arsenal
After peeling back Pyarmor’s layers, we found a streamlined attack chain built for persistence and silent theft:

Discord Data Theft
VVS rifles through LevelDB files (.ldb/.log) hunting Discord tokens (starting with

dQw4w9WgXcQ:

). It cracks them using AES-GCM keys grabbed from Windows DPAPI, then hits Discord APIs to steal:

• User logins, MFA status, payment details
• Friends lists, IP addresses, subscription info
  All this bundles into JSON payloads tossed to Discord webhooks.

Session Hijacking via Injection
VVS kills Discord processes dead. It swaps core files for injection-obf.js, which:

• Plants persistence via Electron framework tweaks
• Hijacks password changes and backup codes
• Spies on traffic using Chrome DevTools
  Screenshots (Figures 9–11) even show how it targets billing info.

Browser Data Harvesting
It hits 17 browsers—Chrome, Firefox, Brave, Torch—to plunder:

• Passwords, cookies, histories, autofill data
  Everything packs into

  <USERNAME>_vault.zip

  and ships to attacker servers.

Evasion and Persistence
How’s VVS stick around? It clones itself into

%APPDATA%\Microsoft\...\Startup

and taunts victims with fake "critical error" alerts (Figure 12). But there’s an endgame: it’ll stop working after October 31, 2026. Think of it as malware with an expiration date.

Exposure Implications
Why’s this scary? Crooks are hijacking legit tools like Pyarmor to blindside security systems. VVS slips past defenses until it’s too late—your credentials vanish, unlocking fraud and identity theft. Discord’s gamers and devs? They’re prime targets.

Palo Alto Networks Protection
Defenses are already rolling:

• Advanced WildFire spots obfuscated payloads using updated ML models
• Advanced URL Filtering/DNS Security block known malicious webhooks
• Cortex XDR/XSIAM traps execution chains with behavioral analysis

Victory means staying one step ahead. Pyarmor’s double-edged: crooks exploit code-protection for stealth. As Python malware booms, defenders must punch through obfuscation with dynamic analysis—because static tech isn’t cutting it.

If you might be compromised? Unit 42’s live:
North America: +1 (866) 486-4842 | UK: +44.20.3743.3660

---

Indicators of Compromise
SHA-256 Hashes:
307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87
7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b
c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07

Additional Resources

• Unpacking Pyarmor v8+ scripts – Leonard Rapp and Hendrik Eckardt, G DATA
• Obfuscated Malicious Python Scripts with PyArmor – Xavier Mertens, SANS ISC