Listen to this Post
Introduction: A New Wave of Python-Based Cyber Espionage
SolyxImmortal is an emerging Python-driven information stealer that represents a dangerous evolution in lightweight but highly effective malware. Unlike traditional heavy malware families, this threat relies on simplicity, native Python modules, and stealth execution to infiltrate Windows systems and quietly harvest sensitive user data. Security researchers have observed its capability to extract browser credentials, capture keystrokes, steal documents, and maintain persistent access without disrupting normal system behavior.
What makes SolyxImmortal especially concerning is its targeted approach. Intelligence reports highlight that it focuses heavily on Turkish-speaking users, embedding localized keywords and behavioral triggers that activate screenshots on sensitive platforms such as banking and email services. Combined with Discord webhook-based exfiltration, this malware transforms a commonly used communication platform into a covert data pipeline for attackers.
Summary of the Original Threat Report: What SolyxImmortal Does
SolyxImmortal is designed to infiltrate Windows systems, establish persistence, and silently collect valuable user data. It uses Python threading and system libraries to maintain continuous surveillance. Once executed, it embeds itself into startup processes, extracts browser credentials from Chromium and Firefox, logs keystrokes, and captures screenshots periodically.
The malware stages stolen data locally before sending it to attacker-controlled Discord webhooks. It is optimized to avoid system detection by limiting file targeting, filtering user-generated content, and using encrypted-like packaging methods. Its focus includes passwords, cookies, documents, and real-time user activity.
Initial Execution and System Infection Chain
Upon execution, SolyxImmortal begins by copying itself into the Windows APPDATA directory under a disguised folder name resembling system graphics components. This helps it blend into legitimate system structures.
It then modifies the Windows registry “Run” key under CurrentVersion, ensuring that every system restart automatically triggers the malware. This persistence mechanism allows it to survive reboots without requiring re-infection.
A temporary staging folder named “Solyx_Pack_Final” is created inside the system TEMP directory, acting as a central hub for collected data before exfiltration.
Browser Credential Theft and Password Extraction
One of the most damaging capabilities of SolyxImmortal is its ability to extract stored credentials from Chromium-based browsers. It retrieves encryption keys from Local State files and decrypts login data stored in SQLite databases.
These credentials, including usernames and passwords, are extracted in plaintext and saved into a file named “sifreler.txt,” a Turkish word meaning passwords.
Firefox cookie databases are also targeted, allowing attackers to hijack active sessions and bypass authentication mechanisms on websites without needing passwords.
File Harvesting and Data Selection Strategy
The malware does not indiscriminately steal all files. Instead, it uses a filtering mechanism to target files between 100 bytes and 10 megabytes.
It avoids system directories and instead focuses on user-generated content such as:
Documents (PDF, DOC, DOCX)
Spreadsheets (XLS, XLSX)
Text files and notes
This selective harvesting reduces noise, improves exfiltration efficiency, and minimizes detection risk by avoiding sensitive system file areas.
Keylogging and Real-Time Activity Monitoring
SolyxImmortal includes a continuous keylogging function that captures every keystroke made by the victim. This data is stored temporarily in a buffer before being packaged every 60 seconds into JSON format.
A dedicated Python thread handles transmission, sending the captured data directly to Discord webhooks controlled by attackers. This allows real-time monitoring of victim activity, including passwords, messages, and search queries.
Screenshot Surveillance and Behavioral Triggers
The malware performs automated screenshots every two minutes to monitor user activity visually. However, it becomes more aggressive when it detects specific window titles.
If a window title matches predefined banking or email-related keywords, the malware immediately captures and exfiltrates the screen. This targeted surveillance increases the likelihood of capturing financial credentials or sensitive communications.
Use of Discord Webhooks for Data Exfiltration
Instead of using traditional command-and-control servers, SolyxImmortal relies on Discord webhooks for stealth data transmission. This technique allows attackers to blend malicious traffic with legitimate Discord API activity.
Each batch of stolen data, including keystrokes, screenshots, and files, is transmitted in structured payloads that resemble normal JSON communication, making detection more challenging for network monitoring tools.
Technical Breakdown of Persistence and Stealth
SolyxImmortal relies on multiple stealth techniques:
Registry-based persistence in Windows startup keys
Temporary staging directories to avoid direct file exposure
Thread-based execution to simulate normal application behavior
Lightweight Python modules instead of heavy binaries
Selective file targeting to reduce footprint
These combined techniques allow it to remain active for long periods without triggering immediate antivirus alerts.
Indicators of Compromise (IoCs)
SHA-256: 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc
SHA-1: 81c66c043982cfee9e60ae94203f4336da0b50c0
MD5: 2690f7c685784fff006fe451fa3b154c
ssdeep: 192:A2maqyDhNc90rNsS21W3g/+/X/WqWUC6Dh:A2dV1NcQUZa
Registry Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsGfxDriver
What Undercode Say: Deep Technical and Strategic Analysis
Python lowers malware development barriers significantly
Threat actors prefer scripting languages for rapid deployment
Discord API abuse is becoming a growing exfiltration trend
Registry persistence remains one of the most effective Windows attack vectors
Browser credential theft is still a primary cybercrime objective
Chromium encryption key extraction is widely exploited in modern malware
File filtering reduces detection surface significantly
Targeted language-based triggers indicate regional cyber espionage
Turkish keyword targeting suggests localized threat campaigns
Multi-threading mimics legitimate application behavior
JSON packaging is used to evade pattern-based detection
Screenshot automation increases credential capture probability
Banking keyword triggers show financial motivation
Email platform targeting suggests account takeover objectives
Lightweight malware is harder to detect in endpoint environments
Temporary staging directories reduce forensic traceability
Local file buffering delays detection by security tools
Discord webhook traffic blends with normal user activity
Python os libraries are heavily abused in malware ecosystems
Keystroke logging remains a core espionage technique
Browser session hijacking bypasses password complexity defenses
Firefox cookie theft enables persistent account access
System directory exclusion reduces crash risk
Malware avoids large files to reduce transmission failure
Continuous surveillance models increase attacker intelligence value
Thread-based execution prevents UI freezing anomalies
Registry Run keys are frequently overlooked in basic scans
Data staging improves compression and packaging efficiency
Cybercriminals prefer trusted cloud platforms for exfiltration
Discord infrastructure abuse complicates blocking strategies
Behavioral triggers indicate adaptive malware design
Real-time monitoring increases attacker reaction speed
Python obfuscation is often minimal but effective
Credential theft remains more valuable than ransomware in some campaigns
Attackers prioritize stealth over destructive payloads
System hygiene failures enable long-term persistence
Endpoint detection requires behavioral analysis, not signature-only scanning
Localized malware suggests regional cybercrime specialization
Multi-vector data theft increases profitability of single infection
SolyxImmortal reflects modern shift toward modular spyware ecosystems
❌ SolyxImmortal is accurately described as a Python-based stealer based on threat intelligence reports, aligning with common infostealer design patterns used in real-world malware campaigns.
⚠️ Claims of Turkish targeting are supported by reported keyword localization, but attribution remains circumstantial and may not confirm geographic origin of attackers.
❌ Use of Discord webhooks for exfiltration is a known and verified tactic in modern malware families, making this behavior highly plausible and consistent with observed cybercrime trends.
Prediction
(-1) The continued use of Python-based malware will likely increase, especially among low-to-mid skill cybercriminal groups due to ease of development and deployment.
(-1) Abuse of legitimate platforms like Discord will expand further, making detection and blocking more complex for enterprise security systems.
(+1) Improved endpoint detection systems may begin identifying behavioral patterns like clipboard scraping, keylogging bursts, and webhook anomalies more effectively in future security updates.
Deep Analysis (System and Incident Response Perspective)
Linux investigation commands for incident analysis:
ps aux | grep python netstat -tulnp | grep discord find / -name "sifreler.txt" 2>/dev/null journalctl -xe | grep -i persistence
Windows investigation commands:
Get-Process | Where-Object {$_.Path -like "AppData"}
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
netstat -ano | findstr :443
Get-ChildItem -Path $env:TEMP -Recurse
macOS investigation commands:
ps aux | grep python lsof -i -n -P | grep ESTABLISHED launchctl list | grep suspicious find ~/Library -name ".plist"
Network and forensic focus areas:
Monitor webhook traffic anomalies
Inspect registry autorun modifications
Track unusual Python interpreter execution paths
Correlate screenshot bursts with user sessions
Detect abnormal JSON payload transmission intervals
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




