Silent Python Nightmare: How SolyxImmortal Steals Passwords, Watches Screens, and Exfiltrates Everything Through Discord + Video

Listen to this Post

Featured ImageIntroduction: A Quiet Digital Intrusion With Loud Consequences

SolyxImmortal is not just another piece of malware floating in the wild. It represents a growing trend of Python-based information stealers that blur the line between simplicity and destructive capability. Built to operate quietly on Windows systems, it focuses on harvesting browser credentials, keystrokes, documents, and screenshots while remaining hidden in plain sight. What makes it especially concerning is its use of familiar platforms like Discord for data exfiltration, turning a popular communication tool into a covert command channel for cyber theft.

Summary of the Original Threat Intelligence

The malware, identified in threat intelligence reports by Cyfirma and supported by additional research, is a Python-driven infostealer targeting Windows environments. It extracts Chromium-based browser credentials, Firefox cookies, and sensitive files, while also logging keystrokes continuously. SolyxImmortal uses persistence techniques such as registry modification and file duplication into system directories. It also targets Turkish-speaking users specifically, using localized keywords for triggering screenshots during sensitive sessions such as banking or email logins.

SolyxImmortal Malware Architecture and Design

SolyxImmortal is built using standard Python modules, leveraging threading, OS interaction, and cryptographic libraries. This design choice makes it lightweight yet extremely effective. The malware’s structure allows simultaneous data collection tasks without slowing down the infected system, creating a silent surveillance layer that users rarely notice.

Initial Execution and System Infiltration

Upon execution, SolyxImmortal immediately duplicates itself into the Windows APPDATA directory under a disguised folder name resembling system graphics components. This step ensures the malware blends into legitimate system files, reducing suspicion during manual inspection or automated scans.

Persistence Through Registry Manipulation

To guarantee long-term survival on the infected host, SolyxImmortal modifies the Windows CurrentVersion Run registry key. This ensures automatic execution every time the system starts, effectively locking the malware into the boot cycle of the operating system.

Staging and Data Preparation

Before exfiltration, the malware creates a temporary staging directory called Solyx_Pack_Final inside the system TEMP folder. This folder becomes a collection point for all stolen credentials, files, and logs before they are compressed or formatted for transfer.

Browser Credential Theft Mechanism

SolyxImmortal specifically targets Chromium-based browsers by extracting decryption keys from Local State files. These keys allow the malware to decrypt saved passwords stored in SQLite databases, exposing usernames and credentials in plain text. The stolen data is saved in a file named “sifreler.txt”, reinforcing its Turkish targeting focus.

Expanded Data Harvesting Beyond Browsers

Beyond browser credentials, the malware scans Firefox cookie stores and searches for user documents including PDFs, Word files, Excel sheets, and plain text documents. It selectively ignores system files and focuses on user-generated content, ensuring maximum value extraction with minimal system disruption.

Selective File Targeting Strategy

To optimize exfiltration speed, SolyxImmortal only targets files ranging between 100 bytes and 10 megabytes. This avoids system-critical files while prioritizing documents likely to contain personal or corporate data.

Keylogging Surveillance Engine

The malware includes a continuous keylogger that records every keystroke made by the victim. This data is temporarily stored in memory buffers and periodically packaged into structured JSON payloads for transmission.

Discord-Based Data Exfiltration

Every 60 seconds, SolyxImmortal uses Python threads to send stolen data to attacker-controlled Discord webhooks. This method bypasses traditional detection systems by hiding malicious traffic inside legitimate platform communication channels.

Screen Capture and Behavioral Monitoring

In addition to logging keystrokes, the malware captures screenshots every two minutes. It also triggers instant captures when window titles match sensitive keywords such as banking portals or email services, indicating a focus on financial theft.

Targeted Turkish User Exploitation

SolyxImmortal shows clear targeting toward Turkish-speaking victims. Hardcoded Turkish phrases and keywords are embedded in the malware logic, especially for detecting banking activity and labeling stolen credential files.

What Undercode Say:

Python malware is becoming a preferred weapon due to its simplicity and portability

Discord webhook abuse demonstrates how legitimate platforms can be weaponized

Persistence via registry keys remains one of the most effective stealth techniques

Browser credential theft is still the primary objective of modern infostealers

Localized targeting shows attackers now design region-specific malware campaigns

Threading allows continuous surveillance without system interruption

Temporary staging folders reduce detection probability during file collection

Keylogging remains a reliable method for capturing sensitive credentials

JSON formatting indicates structured exfiltration pipelines

Multi-module Python use lowers development complexity for attackers

File filtering improves efficiency and avoids system crashes

Screen capture automation increases attack precision

Banking keyword triggers show financial motivation behind the malware

Firefox and Chromium targeting covers most user bases

Discord APIs reduce infrastructure costs for attackers

Registry persistence ensures reboot survival

AppData hiding technique exploits trusted system directories

Exfiltration timing every 60 seconds reduces detection windows

Screenshot intervals balance stealth and data collection

Local language usage suggests cultural targeting strategy

Credential dumping into text files simplifies attacker access

Multi-threading increases parallel data collection efficiency

Temporary buffers reduce memory footprint visibility

System directory exclusion prevents crashes and alerts

Malware prioritizes user-generated content over system files

JSON payload structure suggests automation on attacker side

Screen monitoring indicates hybrid spyware capabilities

Python ecosystem enables rapid malware development

Stealth design focuses on blending into normal processes

Banking keyword detection implies real-time financial theft

Clipboard and keystroke capture increases credential exposure

Malware lifecycle is fully automated after execution

Use of Discord avoids traditional C2 infrastructure detection

File size filtering reduces forensic trace footprint

Persistence mechanisms survive system reboot cycles

Credential extraction relies on browser encryption weaknesses

Local staging folders act as malware workspace

Multi-vector data theft increases attacker success rate

Automation reduces attacker manual involvement

SolyxImmortal represents evolution of lightweight spyware engineering

✅ Threat behavior aligns with known Python-based infostealer patterns
❌ Discord webhook abuse is not exclusive to this malware family
✅ Browser credential extraction from Chromium Local State files is technically valid and widely documented

Prediction

(+1) Python-based infostealers will continue to rise due to ease of development and cross-platform adaptability 📈
(+1) Abuse of legitimate platforms like Discord will increase as attackers seek low-cost infrastructure channels 🌐
(-1) Detection systems will gradually improve against registry-based persistence and webhook exfiltration techniques 🛡️

Deep Analysis: Technical Breakdown and Security Commands

Windows Inspection Commands

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
tasklist /v
wmic process list full

Linux Threat Hunting Equivalents

ps aux | grep python
lsof -i -n -P
cat ~/.bash_history

File Forensics

find / -type f -size +100k -size -10M
sha256sum suspicious_file.py

Network Monitoring

netstat -ano
tcpdump -i any port 443

Behavioral Response Strategy

Isolate infected host immediately from network

Inspect AppData and TEMP directories for staged payloads

Analyze registry Run keys for persistence entries

Block Discord webhook endpoints at firewall level

Extract memory snapshots for keylogger artifacts

▶️ Related Video (80% Match):

https://www.youtube.com/watch?v=4MiU80xEbfU

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.stackexchange.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube