SolyxImmortal: The Stealthy Python Malware Exploiting Discord to Harvest Sensitive Data
In January 2026, cybersecurity researchers identified a sophisticated Python-based malware named SolyxImmortal, marking a significant evolution in information-stealing threats targeting Windows systems. Unlike traditional malware that often seeks rapid exploitation, SolyxImmortal is designed for prolonged surveillance, operating silently to collect a wide array of sensitive data from compromised devices.
Stealthy Operations and Data Collection
SolyxImmortal’s primary function is to remain undetected while harvesting critical information, including user credentials, documents, keystrokes, and screenshots. This data is exfiltrated directly to attackers via Discord webhooks, a method that leverages the platform’s legitimate infrastructure to evade detection. The malware’s emergence signifies a shift towards more covert operational models that prioritize continuous monitoring over immediate, overt exploitation.
Infection Vector and Execution
The malware is typically distributed as a seemingly benign Python script named Lethalcompany.py. Upon execution, SolyxImmortal establishes persistence through multiple mechanisms and initiates background surveillance threads. Notably, it does not attempt to spread laterally across networks or propagate itself; instead, it focuses solely on the compromised device, enabling attackers to maintain long-term visibility into user activities without raising alarms.
Persistence Mechanisms
To ensure its continued operation, SolyxImmortal employs several persistence strategies:
– File Concealment: The malware copies itself to a hidden location within the AppData directory, renaming the file to mimic legitimate Windows components.
– Registry Modification: It registers itself in the Windows registry Run key, ensuring automatic execution upon each user login without requiring administrative privileges.
These techniques guarantee that the malware remains active even after system restarts, providing attackers with uninterrupted access to the infected system.
Targeting Browser Credentials
SolyxImmortal specifically targets popular web browsers, including Chrome, Edge, Brave, and Opera GX. By accessing browser profile directories, the malware extracts master encryption keys using Windows Data Protection API (DPAPI). It then decrypts stored credentials through AES-GCM encryption, rendering them in plaintext before exfiltration. This process highlights the malware’s capability to bypass local security measures effectively.
Document and File Harvesting
Beyond credential theft, SolyxImmortal scans the user’s home directory for documents with specific extensions such as .pdf, .docx, and .xlsx. To optimize data exfiltration and minimize detection, it filters these files by size, avoiding large files that could trigger network monitoring alerts. All harvested data is compressed into a ZIP archive and transmitted to attacker-controlled Discord webhooks, completing the data theft cycle.
Exploitation of Legitimate Platforms
By utilizing Discord webhooks for data transmission, SolyxImmortal exploits the platform’s reputation and HTTPS encryption to avoid network-based detection. This technique demonstrates how threat actors increasingly abuse legitimate services to hide malicious activity.
Implications and Recommendations
The emergence of SolyxImmortal underscores the evolving tactics of cybercriminals who prioritize stealth and persistence over immediate gains. Organizations and individuals must remain vigilant, adopting comprehensive cybersecurity measures to detect and mitigate such threats. Regular system audits, updated antivirus solutions, and user education on the risks of executing unverified scripts are essential steps in defending against sophisticated malware like SolyxImmortal.
