‘SolyxImmortal’ Information Stealer Emerges

The emergence of Soly​xImmortal underscores a growing shift in the infostealer ecosystem toward lightweight, script‑driven malware that piggybacks on trusted internet services. Written in Python, the payload avoids traditional binary signatures and instead relies on Discord’s HTTPS endpoints to relay stolen data. By embedding hard‑coded webhook URLs and a Discord user ID, the attackers exploit the platform’s reputation and encryption to slip past network‑based detection tools that focus on suspicious domains or ports. This approach mirrors a broader tactic of using legitimate cloud APIs as covert command‑and‑control channels.

From a technical standpoint, Soly​xImmortal combines credential harvesting, keylogging, and screen capture into a single monolithic package. It extracts the Chrome master key from the Local State file, decrypts saved passwords, and monitors window titles for high‑value applications before taking screenshots. Persistence is achieved by copying the executable to a hidden AppData directory and registering a Run key, ensuring execution at each logon. After staging data in a temporary folder, the malware compresses and uploads the payload via HTTPS POST requests, then wipes traces, leaving minimal forensic evidence.

The malware’s availability on a Telegram marketplace signals a commoditization of advanced surveillance capabilities, lowering the entry barrier for low‑to‑medium skill threat actors. This trend amplifies the attack surface for enterprises that may face multiple actors repurposing the same codebase. Defenders should prioritize monitoring outbound traffic to Discord endpoints, enforce strict application allow‑lists, and deploy endpoint detection solutions capable of flagging anomalous Python processes. Continuous credential hygiene and browser security hardening further reduce the payoff for attackers leveraging tools like Soly​xImmortal.