SolyxImmortal represents a notable advancement in information-stealing malware targeting Windows systems.
This Python-based threat combines multiple data theft capabilities into a single, persistent implant designed for long-term surveillance rather than destructive activity.
The malware operates silently in the background, collecting credentials, documents, keystrokes, and screenshots while sending stolen information directly to attackers through Discord webhooks.
Its emergence in January 2026 marks a shift toward stealthier operational models that prioritize continuous monitoring over rapid exploitation.
The attack vector centers on distributing the malware, packaged as a legitimate-looking Python script named “Lethalcompany.py,” to target systems.
.webp "Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data 2")
Once executed, SolyxImmortal immediately establishes persistence through multiple mechanisms and launches background surveillance threads.
The malware does not spread laterally or propagate itself; instead, it focuses entirely on harvesting data from a single compromised device.
This focused approach enables attackers to maintain long-term visibility into user activity without drawing attention.
Cyfirma analysts identified SolyxImmortal as a sophisticated threat that leverages legitimate Windows APIs and trusted platforms for command-and-control communication.
.webp "Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data 4")
The malware’s design reflects operational maturity, emphasizing reliability and stealth over complexity.
By utilizing Discord webhooks for data transmission, attackers exploit the platform’s reputation and HTTPS encryption to avoid network-based detection.
This technique demonstrates how threat actors increasingly abuse legitimate services to hide malicious activity.
Persistence Mechanism and Browser Credential Theft
The malware establishes persistence by copying itself to a hidden location within the AppData directory, renaming it to resemble a legitimate Windows component.
It then registers itself in the Windows registry Run key, ensuring automatic execution upon each user login without requiring administrative privileges.
.webp "Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data 5")
This approach guarantees continued operation even after system restarts.
SolyxImmortal targets multiple browsers including Chrome, Edge, Brave, and Opera GX by accessing their profile directories.
The malware extracts browser master encryption keys using Windows DPAPI, then decrypts stored credentials through AES-GCM encryption.
Recovered credentials appear in plaintext format before exfiltration, indicating minimal local security measures.
The malware also harvests documents by scanning the user’s home directory for files with specific extensions like .pdf, .docx, and .xlsx, filtering results by file size to avoid network overhead.
.webp "Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data 6")
All stolen artifacts are compressed into a ZIP archive and transmitted to attacker-controlled Discord webhooks, completing the data theft cycle.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
