The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

SOLYXIMMORTAL: A Python-Based Infostealer

Jan 23, 2026 1:25:13 PM / by The Hivemind

SOLYXIMMORTAL2026Verticals Targeted: None specified
Regions Targeted: None specified 
Related Families: None

Executive Summary

SolyxImmortal is a Python-based information-stealing malware that functions as a persistent implant on Windows systems. It combines multiple surveillance capabilities into a single continuously running process. Collected data stages locally, compresses, and exfiltrates to Discord webhooks using HTTPS, with cleanup to reduce forensic traces while maintaining long-term access.

Key Takeaways

  • The malware implements multi-threaded surveillance including keystroke logging, active window monitoring for sensitive contexts, and both event-driven and interval-based screenshot capture.  
  • It extracts and decrypts browser credentials from Chromium-based applications using DPAPI and AES-GCM, alongside recursive harvesting of document files by extension and size filters.  
  • It establishes persistence via AppData replication with hidden/system attributes and user-level Run key registration, requiring no administrative rights.  
  • It exfiltrates staged, compressed data, including credentials, documents, logs, and screenshots, through HTTPS POSTs to hardcoded Discord webhooks, followed by local cleanup to minimize artifacts.

What is SOLYXIMMORTAL?

SolyxImmortal is a Python-based information-stealing malware that functions as a persistent implant on Windows systems. It combines multiple surveillance capabilities into a single continuously running process. Collected data stages locally, compresses, and exfiltrates to Discord webhooks using HTTPS, with cleanup to reduce forensic traces while maintaining long-term access. Cyfirma recently reported on SolyxImmortal.

The malware arrives as a Python script that executes directly without external dependencies beyond common libraries. Upon launch, a core controller class initializes, resolving paths like TEMP and user home directories for staging. It launches concurrent threads for collection tasks while setting up persistence by copying itself to an AppData subdirectory under a legitimate-appearing name, applying hidden and system file attributes, and adding an entry to the current user's Run registry key for logon execution.

Credential theft targets Chromium-based browsers such as Chrome, Edge, and Brave by locating profile paths, extracting the master key from Local State via DPAPI, and decrypting login data from SQLite databases using AES-GCM. Credentials remain in plaintext during aggregation. Document collection recursively scans the user home directory, selecting files by common extensions, within size limits, to balance value and efficiency.

Keystroke logging employs a persistent listener, buffering input and transmitting batches periodically via a dedicated thread to limit network activity. Window title monitoring scans for keywords linked to authentication or financial actions, triggering immediate screenshots sent to a separate webhook. Routine captures occur at set intervals regardless.

All artifacts stage in TEMP, compress into ZIP archives for efficiency, and exfiltrate over HTTPS to two hardcoded Discord webhooks, one for general data and one for screenshots, with a user ID for direct notifications on priority events. Post-exfiltration cleanup deletes staging materials, though the implant persists indefinitely.

Dynamic execution remains silent, with no UI or console, transitioning quickly to background operation. The process handles exceptions gracefully, maintaining stability despite missing components or interruptions. Network traffic relies exclusively on TLS-secured POSTs to Discord, avoiding custom protocols.

Distribution occurred via an underground Telegram channel focused on commodity stealers and builder tools, typically serving lower-to-mid sophistication actors. Codebase indicators, such as naming conventions, variable patterns, and design choices, suggest a possible Turkish-speaking origin with medium confidence, linked to hacktivist-oriented communities rather than structured cybercrime. The malware aligns with trends in which mid-tier actors exploit accessible scripting and trusted platforms like Discord and Telegram for opportunistic surveillance without dedicated infrastructure. 

IOCs

PolySwarm has a sample of SOLYXIMMORTAL.

 

5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc


Click here to view all samples of SOLYXIMMORTAL in our PolySwarm portal.

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, credential theft, information stealer, keylogger, Python stealer, Discord C2, SolyxImmortal, screenshot capture

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts

Join the Marketplace

For Enterprises and Businesses

Learn More

For Security Experts and AV Companies

Learn More