New VVS Stealer Malware Targets Discord Users via Fake System Errors

A new Python-based threat called VVS Stealer (or VVS $tealer) has surfaced that specifically aims to raid the accounts of Discord users. This malicious software has been circulating quietly since at least April 2025, but its inner workings were recently disclosed by security experts at Palo Alto Networks’ Unit 42.

Researchers found that the malware arrives as a PyInstaller package, which essentially means it’s ready to run on almost any Windows machine without requiring any additional setup.

As we know it, Discord is the go-to hub for millions of gamers, which is exactly why it’s such a prime target. This malware’s main goal is to snatch tokens (digital keys that keep you logged in without a password), using which hackers can access your profile, read your private messages, and even steal your billing and credit card info.

****How it Operates****

For your information, this malware is much more aggressive than just a password stealer. It starts by popping up a fake “Fatal Error” message to trick you into a reboot and performs a Discord Injection, where it actually modifies your Discord files and downloads a malicious script directly into your app folders. This allows the attackers to monitor your traffic as it happens, steal your backup codes or MFA status, and even intercept your login details if you try to change your password.

VVS Stealer doesn’t stop at Discord; it targets browsers, including Chrome, Edge, Brave, and Opera, to steal saved passwords, cookies, and autofill data. It even takes screenshots of your desktop. The malware then bundles this stolen data into a file named USERNAME_vault.zip and sends it to hackers using webhooks.

To keep the stolen data moving smoothly, the malware uses a specific, fixed User-Agent string (appearing as a standard Chrome 115 browser) for all its internet traffic. To avoid detection, the creators use Pyarmor (version 9.1.4 Pro) to scramble the code with AES-128-CTR encryption.

****Sold Like a Subscription****

Interestingly, this isn’t just a one-time attack but is being run like a business. It is sold on Telegram, where it is marketed as the ultimate stealer, Palo Alto’s blog post reveals. The prices are surprisingly low, starting at about €10 for a week of use, up to €199 for a lifetime license.

VVS Stealer Telegram Ad (Source: Unit 42)

It is worth noting that researchers at Deep Code believe a French-speaking individual is behind the operation. They’ve even identified key operators like Rly (or rlyb) and 93R (Rexko). Interestingly, Rly has been active on Discord and GitHub since 2015, showing that these attackers usually have deep roots in the communities they eventually target.

This version of the malware is programmed to expire on October 31, 2026, but it remains a very real danger until then. So, if a weird error box suddenly pops up on your screen, don’t just rush to hit restart. It might be VVS Stealer trying to plant itself firmly into your system.

(Photo by Alexander Shatov on Unsplash)