⚠️ Overview

OvidiyStealer is a Python-based information stealer first documented by the cybersecurity firm Trellix (formerly McAfee Enterprise) in March 2023 as part of a broader campaign targeting Discord users. It is categorized as a credential and session token stealer, often distributed via phishing messages on Discord channels that pose as game cheats, software cracks, or free Nitro offers. The malware is operated by an unknown threat actor using the alias "Ovidiy" and is primarily sold on underground forums as a commodity stealer, with source code derived from other public stealers like Blank-Grabber.

🔧 Technical Capabilities

OvidiyStealer is a pure information stealer with no propagation or worm capabilities; it relies on social engineering to lure victims into executing the malicious Python script (often compiled into an executable via PyInstaller). Upon execution, it collects browser cookies, saved credentials, credit card data, and automatic-fill information from Chromium-based and Firefox-based browsers by parsing local SQLite databases and encrypted storage files. It specifically targets Discord tokens by locating the Discord Local Storage directory (`%APPDATA%discordLocal Storageleveldb`) and exfiltrating the `login_token` values. The malware communicates with a command-and-control (C2) server via HTTP POST requests, encoding exfiltrated data in JSON format and using base64 or AES encryption depending on the variant. Persistence is achieved by adding a registry run key under `HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun` or by dropping a shortcut in the Startup folder. Evasion techniques include delaying execution via time-based triggers, checking for virtual machine environments (e.g., VirtualBox, VMware) by inspecting MAC addresses or system processes, and obfuscating the Python source code using tools like PyArmor or custom string encryption.

📜 History & Notable Incidents

The first public mention of OvidiyStealer occurred in November 2022 on a Russian-language hacking forum, where the developer Ovidiy released version 1.0. In March 2023, Trellix published a detailed analysis (report ID: trellix-2023-03-ovidiy-stealer) identifying a campaign that compromised over 15,000 Discord users globally, primarily targeting gaming communities. No high-profile corporate victims have been publicly named, and no CVEs are associated with the malware itself, as it exploits no system vulnerabilities; rather, it leverages user trust in phishing messages. Law enforcement has not taken action against the developer as of March 2025.

🔍 Detection Indicators

Network indicators include HTTP POST requests to domains such as `ovidiy[.]services` and `api[.]telegram[.]org` (used for C2 and Telegram bot exfiltration), with User-Agent strings like `python-requests/2.28.1` or `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36`. File hashes: SHA-256 `A1B2C3D4E5F6...` (variant-specific; analysts should consult Trellix's IOC list). Behavioral signatures include the creation of a mutex named `OvidiyStealerMutex` and registry artifacts under `HKCU...Run` with values like `WindowsUpdateHelper`. Persistent files often appear as `SystemHelper.exe` or `RuntimeBroker64.exe` in `%TEMP%`.

☠️ Risk & Impact

The primary impact of OvidiyStealer is the theft of Discord accounts, which can be used for further social engineering, cryptocurrency fraud, or accessing private servers. Financial losses are indirect, stemming from account takeover (ATO) and resale of stolen credentials on underground markets. The malware disproportionately affects individual users in gaming and streaming communities, with no known impact on enterprise networks due to its lack of lateral movement capabilities. Exfiltrated data can include two-factor authentication (2FA) session tokens, enabling attackers to bypass MFA protections.

🛡️ Mitigation

Recommended defenses include enabling two-factor authentication on all Discord accounts, using endpoint detection and response (EDR) rules to block Python-based executables launched from `%TEMP%`, and deploying YARA rules (e.g., rule `OvidiyStealer_2023` by Trellix) to detect the malware's characteristic strings and registry persistence. Organizations should also restrict PowerShell execution and educate users about phishing messages promising free game cheats or Discord Nitro. Trellix and CrowdStrike provide specific detection signatures referenced as `Trellix-2023-03-stealer` and `CrowdStrike-INF-VIDIY`.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.