A new Python-based malware called SolyxImmortal has been found quietly stealing browser passwords, cookies, sensitive files, and keystrokes from infected Windows systems.
The malware uses well-known Python libraries and multi-threading to carry out its operations simultaneously, making it harder to detect while it runs in the background.
What makes SolyxImmortal stand out is its apparent focus on Turkish-speaking users. The malware contains several Turkish keywords baked into its code, including words tied to banking sites, Gmail logins, and sign-in pages.
These keywords trigger targeted screenshot capture whenever the active window title matches one of them, suggesting the author had a very specific audience in mind.
Researchers at Pulsedive said in a report shared with Cyber Security News (CSN) that the malware leverages Discord webhooks as its data exfiltration channel.
Once it collects stolen information, the malware packages and sends everything directly to an attacker-controlled Discord channel, tagging a predefined user ID when the data arrives.
The malware first surfaced in public threat databases, with its sample available on Malware Bazaar. While the analyzed sample did not include active webhook URLs, earlier public reporting from Cyfirma revealed that the live version pointed to real Discord endpoints.
The file itself is a small Python script, just over 10,000 bytes, yet it is capable of causing significant harm to anyone it infects.
Once on a system, SolyxImmortal wastes no time establishing its presence. It copies itself into the APPDATA folder, disguises itself as a Windows graphics driver file, and sets a registry key to run every time the user logs in.
This approach guarantees the malware stays active across reboots without any further action from the attacker.
SolyxImmortal Python Malware
The malware targets a wide range of data from the moment it runs. It pulls saved passwords from Chromium-based browsers such as Chrome, Edge, Brave, and OperaGX by reading their local databases and decrypting stored credentials using AES decryption.
All stolen credentials are saved in a file called sifreler.txt, which means “passwords” in Turkish. Beyond passwords, the malware also grabs Firefox cookies by copying the browser’s cookie database directly to a staging folder.
It then walks the user’s home directory looking for documents in .txt, .pdf, .docx, and .xlsx formats. Files between 100 bytes and 10 MB are copied and bundled into a zip archive named Solyx_Final_Data.zip before being uploaded to Discord.
The keylogger runs in a separate thread and records every keystroke the user makes. Every 60 seconds, the collected keystrokes are packaged as a JSON blob and sent to the attacker.
The screen capture function works in two modes: routine screenshots every two minutes, and immediate screenshots triggered when a sensitive keyword appears in the title of the active window.
How SolyxImmortal Stays Hidden and Sends Data Out
The malware uses several tricks to avoid detection. It saves itself as win_gfx_driver.exe and sets its file attributes to hidden and system, making it invisible during standard file browsing.
The registry key it creates, named WindowsGfxDriver, sounds like a legitimate Windows component and may easily be overlooked during a routine system check.
Data leaves the infected machine through Discord’s own web API using Python’s requests library, blending malicious traffic with normal web activity.
Using a popular platform like Discord as a command channel is a growing trend in malware because it is rarely blocked by firewalls and looks like regular user traffic.
Security teams and organizations can take practical steps to lower their risk. Deploying endpoint detection and response tools helps flag unusual process behavior that may signal an infection.
Restricting Python execution to users who genuinely need it reduces the attack surface. Training users to spot phishing emails and suspicious attachments remains one of the most reliable defenses against malware that depends on user interaction to gain its initial foothold.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA256 | 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc | SolyxImmortal Python malware sample hash |
| SHA1 | 81c66c043982cfee9e60ae94203f4336da0b50c0 | SolyxImmortal Python malware sample hash |
| MD5 | 2690f7c685784fff006fe451fa3b154c | SolyxImmortal Python malware sample hash |
| ssdeep | 192:A2maqyDhNc90rNsS21W3g/+/X/WqWUC6Dh:A2dV1NcQUZa | Fuzzy hash for SolyxImmortal sample |
| File Name | win_gfx_driver.exe | Malware persistence copy in APPDATA folder |
| File Name | sifreler.txt | Stolen browser credentials staging file (Turkish for “passwords”) |
| File Name | Solyx_Pack_Final | Staging folder in TEMP directory |
| File Name | Solyx_Final_Data.zip | Compressed archive of stolen data for exfiltration |
| File Name | alert.png | Screenshot saved when a critical keyword window is detected |
| Registry Key | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Persistence registry key value: WindowsGfxDriver |
| File Path | %APPDATA%\WindowsGraphics\win_gfx_driver.exe | Full path of the malware’s persistence copy |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
