VVS Discord Stealer Using Pyarmor for Obfuscation and Detect...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://unit42.paloaltonetworks.com/vvs-stealer/
• Blog Title: VVS Discord Stealer Using Pyarmor for Obfuscation and Detection Evasion
• Suggested Section: Basic Forensic Methodology -> Malware Analysis (or Specific Software/File-Type Tricks -> Decompile compiled python binaries (.pyc/PyInstaller)) ; also cross-link from Python Sandbox Escape & Pyscript -> Bypass Python sandboxes (PyArmor/PyInstaller deobfuscation is adjacent but best under malware/reversing)

🎯 Content Summary

Unit 42 provides a technical teardown of VVS ("VVS $tealer"), a Python Discord-focused infostealer marketed on Telegram as early as April 2025, with analysis published January 2, 2026. The key technical value is a repeatable workflow to extract, decompile, and statically deobfuscate PyInstaller malware protected with Pyarmor v9 (including BCC mode and AES-CTR protections), then interpret the recovered stealer behaviors.

This is not a CVE/product vulnerability; it is malware tradecraft. The impa...

🔧 Technical Details

PyInstaller raw-bytecode recovery: when a PyInstaller binary contains Python bytecode in bare marshal form, extract it with pyi-archive_viewer and rebuild a valid .pyc by restoring the missing header (at minimum the correct magic number for the embedded interpreter) so decompilers accept the file.

Pyarmor v9 static unpacking: parse the Pyarmor header (signature/license, Python version bytes, BCC indicator, embedded ELF start/end offsets, and the 12-byte CTR nonce split across header fields). Identify wrappers (LOAD_CONST pyarmor_enter*_ and LOAD_CONST pyarmor_exit*_) that surround an AES-CTR-encrypted bytecode region; then decrypt using the runtime-derived AES key and reconstruct the per-region nonce by XORing a payload-specific 12-byte XOR key with the 12 bytes at the end marker. While parsing, handle Pyarmor’s modified code objects (co_flags bit 0x20000000 and an extra length-prefixed field) and disable CPython deopt_code() to make decryption succeed. After decryption, look ...

🤖 Agent Actions

Summary:

• Added a concise PyInstaller raw-marshal recovery and Pyarmor v9 static unpacking workflow (header parsing, AES-CTR bytecode/string decryption, nonce derivation, BCC mapping) to the .pyc forensic page.
• Documented version-aware decompilation tips, Pyarmor-modified code object quirks, and handling of encrypted constants/BCC stubs.
• Updated references to include the VVS stealer/Pyarmor analysis source.

Tests:

• Not run (documentation-only changes).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://unit42.paloaltonetworks.com/vvs-stealer/

Content Categories: Based on the analysis, this content was categorized under "Basic Forensic Methodology -> Malware Analysis (or Specific Software/File-Type Tricks -> Decompile compiled python binaries (.pyc/PyInstaller)) ; also cross-link from Python Sandbox Escape & Pyscript -> Bypass Python sandboxes (PyArmor/PyInstaller deobfuscation is adjacent but best under malware/reversing)".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0