By rssfeeds-admin 
The malware, first observed in January 2026, leverages Discord’s webhook infrastructure to exfiltrate credentials, documents, screenshots, and keystroke data without triggering conventional security alerts.
Unlike typical commodity malware, SolyxImmortal demonstrates advanced operational security practices, including silent execution, behavioral stealth, and cleanup routines designed to minimize forensic artifacts.
Technical Specifications and Delivery Mechanisms
The malware is distributed as a Python script packaged for Windows execution under the filename Lethalcompany.py (10.29 KB).
Analysis reveals a monolithic application with no external configuration dependencies, relying instead on hardcoded command-and-control parameters embedded directly within the source code.
The sample identified carries MD5 hash 2690f7c685784fff006fe451fa3b154c and SHA-256 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc.
| Attribute | Value |
|---|---|
| Filename | Lethalcompany.py |
| File Size | 10.29 KB |
| File Type | Python Script |
| Code Signing | Unsigned |
| MD5 Hash | 2690f7c685784fff006fe451fa3b154c |
| SHA-256 Hash | 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc |
| First Observed | January 2026 |
| Distribution Vector | Telegram underground channels |
Upon execution, the malware establishes persistence by copying itself to %AppData% with a filename mimicking legitimate Windows components.It registers under the user’s Run registry key, ensuring automatic startup without administrator privileges.
The absence of self-propagation or lateral movement capabilities indicates that the threat actor focuses on maximizing data extraction from individual endpoints rather than on network-wide compromise.
SolyxImmortal operates through a multi-threaded architecture that simultaneously performs keystroke logging, window monitoring, credential extraction, and file harvesting.
The malware maintains two distinct Discord webhooks: one for structured data (credentials, archives, logs) and another dedicated to screenshot transmission.
This separation enables prioritized handling of high-value events such as authentication attempts and financial service interactions.The malware’s credential-stealing mechanism targets Chromium-based browsers, including Chrome, Edge, and Brave.
It extracts the master encryption key from each browser’s Local State file, then decrypts stored credentials using AES-GCM encryption bound to the user’s Windows DPAPI.
Recovered plaintext passwords are staged locally, compressed into ZIP archives, and transmitted via HTTPS POST requests to attacker-controlled Discord endpoints.This approach exploits Discord’s legitimate reputation to bypass network-based detection systems.
Keystroke logging occurs through persistent keyboard hooks, with captured data buffered in memory rather than transmitted immediately.
A background thread periodically exfiltrates accumulated keystrokes at fixed intervals, reducing outbound network frequency and lowering detection risk.
Special keys, including Enter, Backspace, and modifier combinations, are translated into readable representations rather than raw scan codes.
The malware actively monitors foreground window titles against predefined keyword sets associated with authentication, financial services, and account access.
When matches are detected, screenshots are captured and immediately transmitted via the dedicated webhook.
Routine screenshots are also captured at fixed intervals, enabling continuous visual surveillance regardless of user activity context.
All exfiltrated data undergoes compression and staging within system TEMP directories. Following successful transmission, the malware performs cleanup routines that delete temporary files and directories, reducing residual forensic artifacts while maintaining continuous operation for subsequent collection cycles.
Open-source intelligence collection identified the initial malware distribution through a Telegram channel commonly associated with low-to-medium-sophistication threat actors and commodity malware sharing.
Codebase analysis reveals linguistic, structural, and operational characteristics suggesting a potential link to Turkish-speaking threat actors, assessed with medium confidence.
Security researchers observed that the threat actor’s behavior indicates participation in hacktivist coordination and opportunistic cyber activities rather than structured, financially motivated campaigns.
The combination of Telegram distribution, Discord infrastructure abuse, and overlap with the underground community suggests the malware is intended for opportunistic data theft targeting individual users and small organizations.However, its modular design enables repurposing or redistribution within broader threat ecosystems.
Organizations should implement behavioral detection, prioritizing anomalous access to browser credential stores, unusual screen-capture and input-monitoring activity, and outbound HTTPS traffic from background processes to webhook services.
Application allowlisting, browser credential protection, and network-based monitoring of third-party webhook abuse are critical defensive controls.
Incident response teams should validate persistence mechanisms by examining registry keys and hunting user profile directories during the triage and remediation phases.
MITRE ATT&CK MAPPING
| Tactic | Technique ID | Technique / Sub-technique |
| Execution | T1059.006 | Command and Scripting Interpreter: Python |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys |
| Credential Access | T1555.003 | Credentials from Password Stores: Browsers |
| Credential Access | T1552.001 | Unsecured Credentials: Credentials in Files |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1113 | Screen Capture |
| Discovery | T1083 | File and Directory Discovery |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Command and Control | T1102.003 | Web Service: Third-Party Services |
| Defense Evasion / Collection | T1027 | Obfuscated/Compressed Files and Information |
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Python-Based SolyxImmortal Malware Abuses Discord to Silently Steal Sensitive Data appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.