In January 2026, researchers identified a new Python-based malware strain named SolyxImmortal—a silent, persistent, and highly evasive surveillance tool engineered to blend seamlessly into Windows environments. Unlike commodity stealers that rely on noisy, predictable behaviors, SolyxImmortal demonstrates operational sophistication, stealth, and advanced exfiltration techniques leveraging trusted cloud platforms like Discord.
For CISOs, SOC analysts, and incident responders, this malware represents a growing category of lightweight, modular, cloud-enabled espionage tools designed for long-term endpoint monitoring and data theft.
This article examines the malware’s architecture, persistence tactics, credential extraction methods, exfiltration channels, MITRE ATT&CK mapping, and actionable defense strategies.
What Is SolyxImmortal?
SolyxImmortal is a compact yet powerful Python-based Windows surveillance malware focusing on:
- Credential theft
- Keystroke logging
- Screenshot capture
- Document harvesting
- Persistence
- Covert exfiltration via Discord webhooks
Key characteristics include:
- Silent execution
- Hardcoded C2 parameters
- No external configs
- Advanced cleanup routines
- Low forensic residue
- Continuous data collection in multi-threaded mode
The malware presents itself as Lethalcompany.py and circulates anonymously across Telegram-based underground channels, often used for distributing stealers and OPSEC-light malware tools.
Technical Specifications
File Attributes
| Attribute | Value |
|---|---|
| Filename | Lethalcompany.py |
| File Size | 10.29 KB |
| File Type | Python Script |
| Code Signing | Unsigned |
| MD5 | 2690f7c685784fff006fe451fa3b154c |
| SHA-256 | 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc |
| First Observed | January 2026 |
| Distribution Vector | Telegram underground channels |
Execution Model
Once launched, the malware:
- Copies itself into %AppData% under a Windows-like filename
- Registers under HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- Executes without needing admin privileges
- Spawns multiple threads for continuous monitoring
Despite its sophistication, SolyxImmortal does not propagate laterally, suggesting the operator prioritizes targeted endpoint-level data theft rather than network-wide compromise.
How SolyxImmortal Harvests Data
1. Credential Theft From Chromium Browsers
Targets include:
- Google Chrome
- Microsoft Edge
- Brave
The workflow:
- Extracts the master key from Local State
- Uses AES-GCM with Windows DPAPI bindings
- Decrypts saved login credentials
- Stores plaintext passwords locally
- Compresses them into ZIP archives
- Sends them via HTTPS POST to Discord webhook endpoints
This technique leverages Discord’s trusted domain reputation, bypassing proxy filtering and network security tools.
2. Keystroke Logging
SolyxImmortal uses persistent keyboard hooks that:
- Capture keystrokes in memory
- Translate special keys (Enter, Backspace, Ctrl) into readable labels
- Periodically exfiltrate logs at fixed intervals to lower detection risk
This design minimizes network noise and avoids behavioral triggers.
3. Screenshot Capture & Visual Surveillance
The malware monitors foreground window titles for sensitive keywords tied to:
- Financial services
- Authentication portals
- Email sign-ins
- Cloud accounts
When detected, SolyxImmortal immediately:
- Captures a screenshot
- Sends it to a dedicated screenshot-only webhook
Routine screenshots are also taken at intervals to maintain continuous visibility.
4. Document and File Harvesting
The malware scans user directories for:
- PDF documents
- Text files
- Office documents
- Authentication artifacts
Harvested items are:
- Zipped
- Staged in the TEMP directory
- Sent to the structured-data webhook
- Deleted after transmission
This ensures minimal forensic artifacts.
Network Communication and C2 Behavior
Discord Webhooks as C2 Channels
SolyxImmortal maintains two separate Discord webhooks:
- Primary: credentials, logs, ZIP archives
- Secondary: screenshots only
Why Discord?
- Trusted infrastructure
- Encrypted HTTPS
- High availability
- Difficult to block without collateral damage
All outbound traffic is HTTPS over standard ports, blending in with normal network behavior.
After exfiltration, SolyxImmortal clears temporary files to minimize visibility.
Threat Actor Profile
OSINT and code-linguistic analysis suggest:
- Medium-confidence attribution to a Turkish-speaking actor
- Activity patterns consistent with:
- Hacktivist coordination
- Opportunistic cyber theft
- Low-to-mid sophistication groups
The malware’s design—simple delivery but stealthy exfiltration—suggests:
- Targets: individual users and small businesses
- Use cases: credential theft, account takeover, financial fraud, extortion-enabling surveillance
Its modular structure allows it to be repurposed for more advanced campaigns.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Description |
|---|---|---|
| Execution | T1059.006 | Python interpreter execution |
| Persistence | T1547.001 | Registry Run key persistence |
| Credential Access | T1555.003 | Browser password extraction |
| Credential Access | T1552.001 | Unsecured credential files |
| Collection | T1056.001 | Keylogging |
| Collection | T1113 | Screen capture |
| Discovery | T1083 | File and directory discovery |
| Exfiltration | T1041 | C2 exfiltration over HTTPS |
| Command and Control | T1102.003 | Abuse of third-party web services (Discord) |
| Defense Evasion | T1027 | Obfuscated/compressed data |
Common Misconceptions About Python Malware
❌ “Python scripts are easy to detect.”
Packaged Python files appear as normal executables and evade signature-based tools.
❌ “Discord traffic is always benign.”
Modern stealers increasingly use high-reputation cloud apps for covert C2.
❌ “Small malware = low impact.”
At just 10 KB, SolyxImmortal demonstrates how minimal code can deliver maximum surveillance and credential compromise.
Defensive Recommendations
1. Behavioral Detection
Monitor:
- Abnormal access to Local State browser files
- Unexpected screenshot and input hooks
- Access to %AppData% by unknown executables
- Registry Run key modifications
- Outbound HTTPS traffic to Discord webhooks
2. Network Controls
- Block or monitor webhook URLs
- Enable SSL/TLS inspection where compliant
- Apply DNS filtering to detect anomalous Discord traffic
- Restrict high-risk process network access
3. Endpoint Hardening
- Enable application allowlisting
- Restrict execution of unsigned Python-based binaries
- Protect browser credential storage
- Enforce strong MFA policies
4. Incident Response Actions
During triage:
- Inspect HKCU run keys
- Review %AppData% and TEMP directories
- Look for unauthorized Python executables
- Hunt for ZIP archives or residual credential dumps
- Analyze outbound webhook communications
Conclusion
SolyxImmortal represents the evolution of lightweight malware—simple to distribute, hard to detect, and built for persistent, continuous data theft. With its multi-threaded surveillance engine, browser credential extraction, and covert Discord-based exfiltration, this malware poses a serious risk to individuals and small organizations.
For defenders, detection requires a multi-layered approach focused on behavioral analytics, browser credential protection, webhook monitoring, and endpoint visibility.
Strengthening defenses against SolyxImmortal and malware like it is critical for maintaining secure Windows environments.
