SolyxImmortal represents a notable development in information-stealing malware focusing on Home windows methods.
This Python-based menace combines a number of information theft capabilities right into a single, persistent implant designed for long-term surveillance fairly than damaging exercise.
The malware operates silently within the background, accumulating credentials, paperwork, keystrokes, and screenshots whereas sending stolen data on to attackers by Discord webhooks.
Its emergence in January 2026 marks a shift towards stealthier operational fashions that prioritize steady monitoring over speedy exploitation.
The assault vector facilities on distributing the malware, packaged as a legitimate-looking Python script named “Lethalcompany.py,” to focus on methods.
All execution behaviour is hardcoded (Supply – Cyfirma)
As soon as executed, SolyxImmortal instantly establishes persistence by a number of mechanisms and launches background surveillance threads.
The malware doesn’t unfold laterally or propagate itself; as a substitute, it focuses solely on harvesting information from a single compromised gadget.
This targeted method allows attackers to keep up long-term visibility into person exercise with out drawing consideration.
Cyfirma analysts recognized SolyxImmortal as a complicated menace that leverages authentic Home windows APIs and trusted platforms for command-and-control communication.
Persistence Mechanism (Supply – Cyfirma)
The malware’s design displays operational maturity, emphasizing reliability and stealth over complexity.
By using Discord webhooks for information transmission, attackers exploit the platform’s popularity and HTTPS encryption to keep away from network-based detection.
This system demonstrates how menace actors more and more abuse authentic providers to cover malicious exercise.
Persistence Mechanism and Browser Credential Theft
The malware establishes persistence by copying itself to a hidden location inside the AppData listing, renaming it to resemble a authentic Home windows part.
It then registers itself within the Home windows registry Run key, guaranteeing computerized execution upon every person login with out requiring administrative privileges.
Doc and File Harvesting (Supply – Cyfirma)
This method ensures continued operation even after system restarts.
SolyxImmortal targets a number of browsers together with Chrome, Edge, Courageous, and Opera GX by accessing their profile directories.
The malware extracts browser grasp encryption keys utilizing Home windows DPAPI, then decrypts saved credentials by AES-GCM encryption.
Recovered credentials seem in plaintext format earlier than exfiltration, indicating minimal native safety measures.
The malware additionally harvests paperwork by scanning the person’s house listing for recordsdata with particular extensions like .pdf, .docx, and .xlsx, filtering outcomes by file dimension to keep away from community overhead.
Remaining information zip file (Supply – Cyfirma)
All stolen artifacts are compressed right into a ZIP archive and transmitted to attacker-controlled Discord webhooks, finishing the information theft cycle.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most popular Supply in Google.
