SolyxImmortal Malware: The Silent Python Information Stealer That Turns Windows Systems Into a Surveillance Trap

Listen to this Post

Featured ImageIntroduction: A New Wave of Python-Based Cyber Espionage

SolyxImmortal is an emerging Python-driven information stealer that represents a dangerous evolution in lightweight but highly effective malware. Unlike traditional heavy malware families, this threat relies on simplicity, native Python modules, and stealth execution to infiltrate Windows systems and quietly harvest sensitive user data. Security researchers have observed its capability to extract browser credentials, capture keystrokes, steal documents, and maintain persistent access without disrupting normal system behavior.

What makes SolyxImmortal especially concerning is its targeted approach. Intelligence reports highlight that it focuses heavily on Turkish-speaking users, embedding localized keywords and behavioral triggers that activate screenshots on sensitive platforms such as banking and email services. Combined with Discord webhook-based exfiltration, this malware transforms a commonly used communication platform into a covert data pipeline for attackers.

Summary of the Original Threat Report: What SolyxImmortal Does

SolyxImmortal is designed to infiltrate Windows systems, establish persistence, and silently collect valuable user data. It uses Python threading and system libraries to maintain continuous surveillance. Once executed, it embeds itself into startup processes, extracts browser credentials from Chromium and Firefox, logs keystrokes, and captures screenshots periodically.

The malware stages stolen data locally before sending it to attacker-controlled Discord webhooks. It is optimized to avoid system detection by limiting file targeting, filtering user-generated content, and using encrypted-like packaging methods. Its focus includes passwords, cookies, documents, and real-time user activity.

Initial Execution and System Infection Chain

Upon execution, SolyxImmortal begins by copying itself into the Windows APPDATA directory under a disguised folder name resembling system graphics components. This helps it blend into legitimate system structures.

It then modifies the Windows registry “Run” key under CurrentVersion, ensuring that every system restart automatically triggers the malware. This persistence mechanism allows it to survive reboots without requiring re-infection.

A temporary staging folder named “Solyx_Pack_Final” is created inside the system TEMP directory, acting as a central hub for collected data before exfiltration.

Browser Credential Theft and Password Extraction

One of the most damaging capabilities of SolyxImmortal is its ability to extract stored credentials from Chromium-based browsers. It retrieves encryption keys from Local State files and decrypts login data stored in SQLite databases.

These credentials, including usernames and passwords, are extracted in plaintext and saved into a file named “sifreler.txt,” a Turkish word meaning passwords.

Firefox cookie databases are also targeted, allowing attackers to hijack active sessions and bypass authentication mechanisms on websites without needing passwords.

File Harvesting and Data Selection Strategy

The malware does not indiscriminately steal all files. Instead, it uses a filtering mechanism to target files between 100 bytes and 10 megabytes.

It avoids system directories and instead focuses on user-generated content such as:

Documents (PDF, DOC, DOCX)

Spreadsheets (XLS, XLSX)

Text files and notes

This selective harvesting reduces noise, improves exfiltration efficiency, and minimizes detection risk by avoiding sensitive system file areas.

Keylogging and Real-Time Activity Monitoring

SolyxImmortal includes a continuous keylogging function that captures every keystroke made by the victim. This data is stored temporarily in a buffer before being packaged every 60 seconds into JSON format.

A dedicated Python thread handles transmission, sending the captured data directly to Discord webhooks controlled by attackers. This allows real-time monitoring of victim activity, including passwords, messages, and search queries.

Screenshot Surveillance and Behavioral Triggers

The malware performs automated screenshots every two minutes to monitor user activity visually. However, it becomes more aggressive when it detects specific window titles.

If a window title matches predefined banking or email-related keywords, the malware immediately captures and exfiltrates the screen. This targeted surveillance increases the likelihood of capturing financial credentials or sensitive communications.

Use of Discord Webhooks for Data Exfiltration

Instead of using traditional command-and-control servers, SolyxImmortal relies on Discord webhooks for stealth data transmission. This technique allows attackers to blend malicious traffic with legitimate Discord API activity.

Each batch of stolen data, including keystrokes, screenshots, and files, is transmitted in structured payloads that resemble normal JSON communication, making detection more challenging for network monitoring tools.

Technical Breakdown of Persistence and Stealth

SolyxImmortal relies on multiple stealth techniques:

Registry-based persistence in Windows startup keys

Temporary staging directories to avoid direct file exposure

Thread-based execution to simulate normal application behavior

Lightweight Python modules instead of heavy binaries

Selective file targeting to reduce footprint

These combined techniques allow it to remain active for long periods without triggering immediate antivirus alerts.

Indicators of Compromise (IoCs)

SHA-256: 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc

SHA-1: 81c66c043982cfee9e60ae94203f4336da0b50c0

MD5: 2690f7c685784fff006fe451fa3b154c

ssdeep: 192:A2maqyDhNc90rNsS21W3g/+/X/WqWUC6Dh:A2dV1NcQUZa

Registry Key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsGfxDriver

What Undercode Say: Deep Technical and Strategic Analysis

Python lowers malware development barriers significantly

Threat actors prefer scripting languages for rapid deployment

Discord API abuse is becoming a growing exfiltration trend

Registry persistence remains one of the most effective Windows attack vectors

Browser credential theft is still a primary cybercrime objective

Chromium encryption key extraction is widely exploited in modern malware

File filtering reduces detection surface significantly

Targeted language-based triggers indicate regional cyber espionage

Turkish keyword targeting suggests localized threat campaigns

Multi-threading mimics legitimate application behavior

JSON packaging is used to evade pattern-based detection

Screenshot automation increases credential capture probability

Banking keyword triggers show financial motivation

Email platform targeting suggests account takeover objectives

Lightweight malware is harder to detect in endpoint environments

Temporary staging directories reduce forensic traceability

Local file buffering delays detection by security tools

Discord webhook traffic blends with normal user activity

Python os libraries are heavily abused in malware ecosystems

Keystroke logging remains a core espionage technique

Browser session hijacking bypasses password complexity defenses

Firefox cookie theft enables persistent account access

System directory exclusion reduces crash risk

Malware avoids large files to reduce transmission failure

Continuous surveillance models increase attacker intelligence value

Thread-based execution prevents UI freezing anomalies

Registry Run keys are frequently overlooked in basic scans

Data staging improves compression and packaging efficiency

Cybercriminals prefer trusted cloud platforms for exfiltration

Discord infrastructure abuse complicates blocking strategies

Behavioral triggers indicate adaptive malware design

Real-time monitoring increases attacker reaction speed

Python obfuscation is often minimal but effective

Credential theft remains more valuable than ransomware in some campaigns

Attackers prioritize stealth over destructive payloads

System hygiene failures enable long-term persistence

Endpoint detection requires behavioral analysis, not signature-only scanning

Localized malware suggests regional cybercrime specialization

Multi-vector data theft increases profitability of single infection

SolyxImmortal reflects modern shift toward modular spyware ecosystems

❌ SolyxImmortal is accurately described as a Python-based stealer based on threat intelligence reports, aligning with common infostealer design patterns used in real-world malware campaigns.

⚠️ Claims of Turkish targeting are supported by reported keyword localization, but attribution remains circumstantial and may not confirm geographic origin of attackers.

❌ Use of Discord webhooks for exfiltration is a known and verified tactic in modern malware families, making this behavior highly plausible and consistent with observed cybercrime trends.

Prediction

(-1) The continued use of Python-based malware will likely increase, especially among low-to-mid skill cybercriminal groups due to ease of development and deployment.
(-1) Abuse of legitimate platforms like Discord will expand further, making detection and blocking more complex for enterprise security systems.
(+1) Improved endpoint detection systems may begin identifying behavioral patterns like clipboard scraping, keylogging bursts, and webhook anomalies more effectively in future security updates.

Deep Analysis (System and Incident Response Perspective)

Linux investigation commands for incident analysis:

ps aux | grep python
netstat -tulnp | grep discord
find / -name "sifreler.txt" 2>/dev/null
journalctl -xe | grep -i persistence

Windows investigation commands:

Get-Process | Where-Object {$_.Path -like "AppData"}
Get-ItemProperty HKCU:\Software\Microsoft\Windows\CurrentVersion\Run
netstat -ano | findstr :443
Get-ChildItem -Path $env:TEMP -Recurse

macOS investigation commands:

ps aux | grep python
lsof -i -n -P | grep ESTABLISHED
launchctl list | grep suspicious
find ~/Library -name ".plist"

Network and forensic focus areas:

Monitor webhook traffic anomalies

Inspect registry autorun modifications

Track unusual Python interpreter execution paths

Correlate screenshot bursts with user sessions

Detect abnormal JSON payload transmission intervals

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.github.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube