A new Python-based malware, dubbed SolyxImmortal, has emerged, targeting Windows systems with sophisticated data-stealing capabilities. First observed in January 2026, this information-stealing malware prioritizes stealthy, long-term surveillance over destructive actions, silently harvesting sensitive data like credentials, documents, and keystrokes. Attackers are leveraging Discord webhooks to exfiltrate this stolen information, a technique that exploits the platform’s legitimate infrastructure for covert communication.
SolyxImmortal operates as a persistent implant designed for continuous monitoring. The malware is distributed disguised as a seemingly innocuous Python script, often named “Lethalcompany.py.” Once executed on a target system, it establishes persistence through multiple means and initiates background surveillance threads. Notably, the malware focuses solely on data collection from a single compromised device, eschewing lateral movement or self-propagation to maintain a low profile and achieve prolonged access to user activity.
SolyxImmortal: A Stealthy Data Harvest Machine
According to analysis by Cyfirma, SolyxImmortal represents a notable advancement in the landscape of information-stealing malware. Its design incorporates advanced techniques, including the utilization of legitimate Windows APIs and the abuse of trusted platforms for command-and-control (C2) communication. This approach demonstrates a growing trend among threat actors to integrate malicious activities into seemingly legitimate system functions and external services, making detection more challenging.
The malware’s operational maturity is evident in its emphasis on reliability and stealth. By employing Discord webhooks for data exfiltration, attackers can effectively leverage the platform’s inherent reputation and HTTPS encryption to bypass network-based security measures. This strategy highlights how adversaries are increasingly weaponizing popular services to mask their malicious operations and evade security scrutiny, posing a significant challenge for cybersecurity defenses.
Persistence Mechanism and Browser Credential Theft
To ensure its persistent presence on an infected system, SolyxImmortal employs a multi-faceted persistence mechanism. The malware copies itself to a hidden directory within the user’s AppData folder, often renaming itself to mimic a legitimate Windows component. Subsequently, it registers itself within the Windows Registry’s Run key. This action guarantees that the malware automatically executes each time a user logs into the system, bypassing the need for administrative privileges and ensuring continuous operation even after reboots.
SolyxImmortal exhibits a keen interest in browser-stored credentials, targeting popular browsers such as Chrome, Edge, Brave, and Opera GX. It accesses these browsers’ profile directories to extract sensitive information. The malware leverages Windows DPAPI (Data Protection API) to decrypt the master encryption keys used by these browsers. It then decrypts stored user credentials utilizing AES-GCM encryption. The recovered credentials are presented in plaintext format prior to exfiltration, indicating a lack of robust local security measures to protect this sensitive data.
In addition to credentials, the malware actively harvests documents from the user’s system. It scans the user’s home directory for files with common document extensions, including .pdf, .docx, and .xlsx. To optimize network usage and reduce the likelihood of detection, SolyxImmortal filters these results based on file size, presumably to avoid transmitting overly large or unnecessary files. All collected sensitive information, including credentials and documents, is then compressed into a ZIP archive. This archive is subsequently transmitted to attacker-controlled Discord webhooks, completing the data theft lifecycle.
The emergence and capabilities of SolyxImmortal underscore the evolving tactics of cybercriminals, who are increasingly sophisticated in their methods of data exfiltration and evasion. The reliance on legitimate services like Discord for C2 communication poses a persistent challenge for defenders. Organizations and individuals should remain vigilant, ensuring their systems are updated, employ robust endpoint detection and response (EDR) solutions, and educate users about the risks associated with suspicious file executions and phishing attempts.