SolyxImmortal represents a notable advancement in information-stealing malware targeting Windows systems. <\/p>\n
This Python-based threat combines multiple data theft capabilities into a single, persistent implant designed for long-term surveillance rather than destructive activity. <\/p>\n
The malware operates silently in the background, collecting credentials, documents, keystrokes, and screenshots while sending stolen information directly to attackers through Discord webhooks. <\/p>\n
Its emergence in January 2026 marks a shift toward stealthier operational models that prioritize continuous monitoring<\/a> over rapid exploitation.<\/p>\n The attack vector centers on distributing the malware, packaged as a legitimate-looking Python script<\/a> named \u201cLethalcompany.py,\u201d to target systems. <\/p>\n Once executed, SolyxImmortal immediately establishes persistence through multiple mechanisms and launches background surveillance threads. <\/p>\n The malware<\/a> does not spread laterally or propagate itself; instead, it focuses entirely on harvesting data from a single compromised device. <\/p>\n This focused approach enables attackers to maintain long-term visibility into user activity without drawing attention.<\/p>\n Cyfirma analysts identified<\/a> SolyxImmortal as a sophisticated threat that leverages legitimate Windows APIs and trusted platforms for command-and-control communication. <\/p>\n The malware\u2019s design reflects operational maturity, emphasizing reliability and stealth over complexity. <\/p>\n By utilizing Discord webhooks for data transmission, attackers exploit the platform\u2019s reputation and HTTPS encryption to avoid network-based detection. <\/p>\n This technique demonstrates how threat actors increasingly abuse legitimate services to hide malicious activity.<\/p>\n The malware establishes persistence by copying itself to a hidden location within the AppData directory, renaming it to resemble a legitimate Windows component. <\/p>\n It then registers itself in the Windows registry Run key, ensuring automatic execution upon each user login without requiring administrative privileges<\/a>. <\/p>\n This approach guarantees continued operation even after system restarts.<\/p>\n SolyxImmortal targets multiple browsers including Chrome, Edge, Brave, and Opera GX by accessing their profile directories. <\/p>\n The malware extracts browser master encryption keys using Windows DPAPI, then decrypts stored credentials through AES-GCM encryption. <\/p>\n Recovered credentials appear in plaintext format before exfiltration<\/a>, indicating minimal local security measures. <\/p>\n The malware also harvests documents by scanning the user\u2019s home directory for files with specific extensions like .pdf, .docx, and .xlsx, filtering results by file size to avoid network overhead. <\/p>\n All stolen artifacts are compressed into a ZIP archive and transmitted to attacker-controlled Discord webhooks, completing the data theft cycle.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Python-based Malware SolyxImmortal Leverages Discord to Silently Harvest Sensitive Data<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"All](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhr8I-_aHVeWsKgFOzRhM1bTgXVTz6KOtSJeM6VWhfd6TjNmdLN6PPZHN-ZWWeuljOTeJ_703ghjuFqLpkG6d__5N750pxCERsNXVgzE0Zl6M3nkg8Ig7sSvvkgtlHBm1HX6c5SfkK10jr2PfgugViboXp-W1JWpIo-idJCnnjvY5RUVmK3rRAFDbiSSKQ\/s16000\/All%2520execution%2520behaviour%2520is%2520hardcoded%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
![\"Persistence](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiy4nE2L6BBWIWqePZ1NxuKihscdRWMeqrFy010P-IW8BGYAQvAq89-2pmByROcnUQ2LV2DiHDXfmmh0oWpYE1uyThBIbgK6jwm2XSZdezaDM3-7k0RbneB_yqAplED98mTmJ4Nyxf-AC-VkKenMA8lK9Pj4La3CQSob4b7dGAdTfTC0qT76QG8UrHHvEs\/s16000\/Persistence%2520Mechanism%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
Persistence Mechanism and Browser Credential Theft<\/strong><\/h2>\n
![\"Document](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhPtnItdMySYqEQ8NjUBDFzjAhIeJc-6FuCL5aDnU-HbDiRM7wPQbKqZx99kx14uPHrLtmsHQ7-KIBgU5BS8qn7_EvYR8g5nBhvrRulIdiJ_N4vQcBdMI53M9QtsAbarnXNVsWjMupHRjhqQQz3HRnjPlBv-75hwM0QJF5VQiFHlRZKyrFZRxCc4MSoJos\/s16000\/Document%2520and%2520File%2520Harvesting%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")
![\"Final](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgH1ozeygPkS4RpDCjZJlPoOFGZq1rEKB9K2802kQm8TJYkIL79qPbKVi-J9-s8GyjuE1okc1ayqPX37k6ZFESnwB4G5Y9C5kna84ErHT_KntOqbRec2z4k0SpIDpz-hd29dNUlvbZ2pW49olcpOoNW_GiUnSYbsW5vUs8H3dH-7ivsyzTw7OlkWKgB4YA\/s16000\/Final%2520data%2520zip%2520file%2520%28Source%2520-%2520Cyfirma%29.webp?ssl=1\")