Overview
- Palo Alto Networks researchers detail a PyInstaller-packed stealer protected with Pyarmor in BCC mode and AES-128-CTR, which they reversed to recover core Python logic.
- The malware searches for and decrypts Discord tokens, then queries Discord APIs to gather account details, billing information, MFA status, IP data and system metadata.
- It performs Discord client injection by deploying an obfuscated JavaScript payload, enabling session hijacking and traffic monitoring via the Chrome DevTools Protocol.
- Beyond Discord, it steals browser data from Chromium- and Firefox-based browsers, captures screenshots, compresses the haul as USERNAME_vault.zip and sends it to preset webhook URLs.
- Marketed on Telegram with tiers from €10 per week to €199 lifetime, the analyzed build uses a fixed Chrome user agent, persists via the Startup folder with fake “Fatal Error” prompts, and is set to stop functioning after October 31, 2026.