A newly identified SolyxImmortal malware is raising alarms among cybersecurity researchers for its stealthy ability to steal sensitive data from Windows systems while leveraging Discord as a covert data exfiltration channel.
This Python-based information stealer targets browser credentials, files, and keystrokes, with a particular focus on Turkish users, according to threat intelligence findings from Cyfirma. Its combination of continuous surveillance and real-time exfiltration makes it a notable addition to the growing landscape of infostealer malware.
Key Details
SolyxImmortal is designed to operate silently in the background while systematically collecting valuable user data.
Key characteristics include:
- Written entirely in Python using standard libraries
- Uses Discord webhooks for data exfiltration
- Targets Chromium browsers and Firefox
- Focuses on Turkish-language banking and email platforms
- Capable of keylogging and automated screenshots
The malware deploys quickly upon execution and immediately sets up persistence to ensure long-term access.
Technical Analysis
Persistence and Execution
Once executed, SolyxImmortal establishes persistence by:
- Copying itself into:
%APPDATA%\WindowsGraphics\
- Creating a registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\WindowsGfxDriver
This ensures the malware launches automatically every time the user logs in.
Credential Theft from Browsers
The malware targets Chromium-based browsers (such as Chrome, Edge) by:
- Extracting encryption keys from the Local State file
- Accessing SQLite login databases
- Decrypting stored credentials into plaintext
Stolen credentials are saved locally in a file named:
sifreler.txt(Turkish for “passwords”)
Additionally, SolyxImmortal extracts:
- Firefox cookies
- Browsing session data
This aligns with MITRE ATT&CK T1555 (Credentials from Password Stores).
File Harvesting
The malware searches for sensitive documents, including:
- Text files
- PDFs
- Word documents
- Excel spreadsheets
To optimize exfiltration:
- Only files between 100 bytes and 10 MB are selected
- System directories are ignored
- Focus remains on user-generated data
Collected data is staged in a temporary directory:
%TEMP%\Solyx_Pack_Final
Keylogging and Screen Surveillance
SolyxImmortal includes a continuous keylogger:
- Captures all keystrokes
- Buffers data locally
- Sends logs every 60 seconds via JSON payloads
The malware also performs:
- Routine screenshots every 2 minutes
- Immediate screenshots when specific keywords appear in the active window (e.g., banking portals, Gmail)
These screenshots are flagged and exfiltrated with high-priority alerts, providing attackers with real-time visibility into user activity.
Discord-Based Data Exfiltration
Instead of traditional C2 infrastructure, SolyxImmortal uses:
- Discord webhooks for communication
This allows attackers to:
- Blend malicious traffic with legitimate platform usage
- Avoid detection by traditional network defenses
- Receive data in near real-time
This technique reflects a broader trend of abusing trusted platforms for covert operations.
Impact and Risks
Affected Targets
- Primarily Turkish users
- Individuals using Chromium-based browsers
- Users storing sensitive documents locally
Potential Impact
Compromised systems may face:
- Theft of browser credentials and login data
- Exposure of sensitive documents
- Continuous monitoring via keylogging and screenshots
- Credential reuse attacks against other services
Because the malware runs silently and continuously, victims may remain unaware while data is actively exfiltrated.
Why It’s Dangerous
- Uses legitimate Python libraries (low detection footprint)
- Abuses trusted platforms (Discord)
- Executes multi-threaded surveillance without disruption
- Targets high-value user activity (banking, email)
Expert Recommendations
1. Monitor Endpoint Activity
- Detect unusual Python execution patterns
- Monitor processes accessing browser data stores
2. Restrict Discord Traffic
- Limit outbound webhook communication where unnecessary
- Monitor for abnormal data uploads to messaging platforms
3. Secure Browser Data
- Clear stored passwords regularly
- Use hardware-backed password managers
4. Deploy Endpoint Protection
- Use EDR solutions to detect:
- Keylogging behavior
- Suspicious file staging
- Registry persistence mechanisms
5. Raise User Awareness
- Warn users about suspicious downloads or scripts
- Highlight risks of unofficial software and tools
6. Conduct Threat Hunting
- Look for IOCs such as:
- Suspicious registry keys
- Temporary staging folders
- Known malware hashes
Industry Context
SolyxImmortal reflects a rising trend in lightweight, Python-based infostealers that are easy for attackers to develop, modify, and deploy.
The use of Discord as a C2 channel mirrors tactics seen in other modern campaigns, where attackers leverage trusted platforms to bypass detection.
Additionally, the malware’s localized targeting demonstrates a growing focus on regional campaigns, where attackers tailor their tools for specific languages, banking systems, and user behaviors.
As cybercriminals increasingly shift toward stealthy data theft over disruptive attacks, infostealer malware like SolyxImmortal is becoming a primary threat vector.
Conclusion
SolyxImmortal is a clear example of how modern malware blends simplicity with effectiveness. By combining Python-based execution, browser credential theft, and real-time exfiltration via Discord, it creates a powerful surveillance tool capable of long-term compromise.
For organizations and individuals alike, preventing such threats requires a combination of endpoint visibility, user awareness, and proactive defense strategies.
FAQ SECTION
What is SolyxImmortal malware?
SolyxImmortal is a Python-based infostealer that steals browser credentials, files, and keystrokes from infected systems.
How does it steal browser passwords?
It extracts encryption keys from browser files and decrypts stored credentials from local databases.
Why does it use Discord?
Discord webhooks allow attackers to exfiltrate data while blending into normal network traffic.
Who is targeted by this malware?
It primarily targets Turkish users, especially those accessing banking and email services.
How can I protect my system?
Use endpoint security tools, avoid suspicious downloads, monitor system activity, and limit outbound connections to unknown services.
