VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion

    Monday, January 5, 2026 In: Threat Research Print

    Date: 01/05/2026

    Severity: High

    Summary

    This article presents a technical analysis of the VVS stealer (also known as VVS $tealer), focusing on its obfuscation and evasion techniques. Written in Python, the malware targets Discord users by exfiltrating credentials and authentication tokens. VVS stealer was actively developed and advertised for sale on Telegram as early as April 2025. Its code is obfuscated using PyArmor, a tool designed to hinder static analysis and signature-based detection. While PyArmor has legitimate uses, it is increasingly abused to create stealthy malware. The article explains how VVS stealer samples were deobfuscated to better understand their functionality.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://ptb.discord.com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2

    https://ptb.discord.com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0

    Hash :

    307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87

    7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b

    c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://ptb.discord.com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2" or url like "https://ptb.discord.com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2" or siteurl like "https://ptb.discord.com/api/webhooks/1360401843963826236/TkFvXfHFXrBIKT3EaqekJefvdvt39XTAxeOIWECeSrBbNLKDR5yPcn75uIqKEzdfs9o2" or domainname like "https://ptb.discord.com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0" or url like "https://ptb.discord.com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0" or siteurl like "https://ptb.discord.com/api/webhooks/1360259628440621087/YCo9eVnIBOYSMn8Xr6zX5C7AJF22z26WljaJk4zr6IiThnUrVyfWCZYs6JjSC12IC8c0"

    Detection Query 2 :

    sha256hash IN ("307d9cefa7a3147eb78c69eded273e47c08df44c2004f839548963268d19dd87","7a1554383345f31f3482ba3729c1126af7c1d9376abb07ad3ee189660c166a2b","c7e6591e5e021daa30f949a6f6e0699ef2935d2d7c06ea006e3b201c52666e07")


    Reference:     

    https://unit42.paloaltonetworks.com/vvs-stealer/                         


    Tags

    MalwareDiscordExfiltrationStealerTelegramPyArmor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.