New Python-Based Infostealer "SolyxImmortal" Leverages Legitimate APIs for Stealthy Data Theft
Cybersecurity firm Cyfirma has uncovered SolyxImmortal, a Python-written information stealer targeting Windows systems with evasive data harvesting and surveillance capabilities. The malware, designed for persistent background operation, lacks self-propagation but excels in continuous monitoring of high-value user activities, including authentication and financial transactions.
Key Features and Tactics
SolyxImmortal employs hardcoded command-and-control (C&C) parameters and abuses Discord’s webhooks one for structured data exfiltration and another for screenshots to evade network detection by leveraging the platform’s HTTPS encryption and reputation. A hardcoded Discord user ID ensures operators receive immediate alerts for critical events.
For persistence, the malware copies itself into the user’s AppData directory, renames the executable, and marks it as hidden. It also registers under the Run key to launch at logon. Data theft includes:
- Credential harvesting: Targets Chrome and Chromium-based browsers by extracting the master encryption key from the Local State file to decrypt login data, aggregating stolen credentials in plaintext.
- Document collection: Scans the user’s home directory for files based on extensions and size, staging them in a temporary folder before compression and exfiltration.
- Keylogging: Captures keystrokes in an in-memory buffer, periodically exfiltrating them via a dedicated thread.
- Screen monitoring: Takes screenshots when active windows match predefined titles (e.g., authentication or financial operations) and sends them to Discord. Routine screenshots are also captured at fixed intervals for continuous surveillance.
After exfiltrating data via HTTPS POST requests, the malware deletes temporary files to cover its tracks.
Origins and Threat Landscape
SolyxImmortal appears tailored for opportunistic attacks by low-to-medium sophistication threat actors. It was advertised on an underground Telegram channel linked to a Turkish-speaking developer, suggesting a focus on broad data theft rather than targeted espionage. However, its modular design allows easy repurposing by other cybercriminals.
Cyfirma highlights the malware as part of a growing trend where mid-tier threat actors exploit readily available platforms (e.g., Discord, Python) and third-party libraries to deploy surveillance tools without maintaining dedicated infrastructure. The discovery follows recent reports of other infostealer campaigns, including supply chain attacks and macOS/Linux-targeted malware.
Source: https://www.securityweek.com/solyximmortal-information-stealer-emerges/
Discord Developers cybersecurity rating report: https://www.rankiteo.com/company/discord-developers
"id": "DIS1768835600",
"linkid": "discord-developers",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'type': 'End-users (individuals and organizations)'}],
'attack_vector': 'Malware (Python-based executable)',
'data_breach': {'data_encryption': 'No (credentials decrypted from browser '
'storage)',
'data_exfiltration': 'Yes (via Discord webhooks and HTTPS '
'POST requests)',
'file_types_exposed': ['Browser login data',
'User documents (based on extensions '
'and size)'],
'personally_identifiable_information': 'Yes (credentials, '
'keystrokes, '
'screenshots)',
'sensitivity_of_data': 'High (login data, financial '
'transactions, personally identifiable '
'information)',
'type_of_data_compromised': ['Credentials',
'Documents',
'Keystrokes',
'Screenshots']},
'description': 'Cybersecurity firm Cyfirma has uncovered *SolyxImmortal*, a '
'Python-written information stealer targeting Windows systems '
'with evasive data harvesting and surveillance capabilities. '
'The malware, designed for persistent background operation, '
'lacks self-propagation but excels in continuous monitoring of '
'high-value user activities, including authentication and '
'financial transactions.',
'impact': {'data_compromised': 'Credentials, documents, keystrokes, '
'screenshots',
'identity_theft_risk': 'High (credentials, personally identifiable '
'information)',
'operational_impact': 'Persistent background monitoring, data '
'exfiltration',
'payment_information_risk': 'High (financial transaction '
'monitoring)',
'systems_affected': 'Windows systems'},
'investigation_status': 'Ongoing (discovery by Cyfirma)',
'lessons_learned': 'Growing trend of mid-tier threat actors exploiting '
'legitimate platforms (e.g., Discord, Python) and '
'third-party libraries to deploy surveillance tools '
'without dedicated infrastructure.',
'motivation': 'Data theft, financial gain, surveillance',
'post_incident_analysis': {'root_causes': 'Abuse of legitimate APIs (Discord '
'webhooks), Python-based malware '
'with evasive techniques, lack of '
'self-propagation but persistent '
'monitoring'},
'references': [{'source': 'Cyfirma'}],
'response': {'third_party_assistance': 'Cyfirma (cybersecurity firm)'},
'threat_actor': 'Low-to-medium sophistication threat actors (Turkish-speaking '
'developer)',
'title': "New Python-Based Infostealer 'SolyxImmortal' Leverages Legitimate "
'APIs for Stealthy Data Theft',
'type': 'Infostealer'}