A newly identified information stealer relies on legitimate APIs and third-party libraries for evasive, persistent data harvesting and exfiltration, cybersecurity company Cyfirma reports.
Dubbed SolyxImmortal, the malware is written in Python and includes broad data theft and user surveillance capabilities, such as credential and document harvesting, a keylogger, and screen monitoring.
According to Cyfirma, SolyxImmortal is a monolithic Python application targeting Windows systems that can launch concurrent surveillance and data collection threads.
The malware runs silently in the background, does not have self-propagation capabilities, and focuses on continuous monitoring and alerting for authentication and other high-value user actions.
SolyxImmortal features a central controller that establishes persistence, collection, and surveillance, with all the malicious behavior hardcoded.
Command-and-control (C&C) parameters are also hardcoded. The infostealer uses two Discord webhooks, one for structured data exfiltration and another for sending screenshots, and relies on the service’s HTTPS security and reputation to evade network-based detection.
“The inclusion of a hardcoded Discord user ID enables direct operator mentions, ensuring that high-value events generate immediate notifications,” Cyfirma notes.
The malware copies itself into a directory within the user’s AppData path and renames the executable, marking it as hidden and system-protected. It also registers under the user’s Run key, so it is executed at user logon.
Data theft, surveillance capabilities
SolyxImmortal can steal credentials from Chrome and other Chromium-based browsers, targeting the Local State file to extract the browser master encryption key and decrypt the login entries.
“Recovered credentials are aggregated in plaintext format prior to exfiltration, indicating no local encryption or obfuscation of stolen data,” Cyfirma notes.
The threat also enumerates the user’s home directory to identify documents of interest and filters them based on extension and size. All collected data is staged in a temporary directory, compressed, and exfiltrated.
Furthermore, the information stealer stores captured keystrokes in an in-memory buffer and exfiltrates them periodically using a dedicated background thread.
It also monitors the active windows, checks their titles against a predefined list (targeting authentication and financial operations), and takes a screenshot when identifying a match. Each screenshot is immediately sent to the dedicated Discord webhook.
“In addition to event-driven capture, routine screenshots are taken at fixed intervals, enabling continuous visual surveillance even in the absence of trigger keywords,” Cyfirma explains.
After successfully exfiltrating the staged data via HTTPS POST requests, the malware erases all temporary files and directories.
Designed for opportunistic attacks
Likely intended for low-to-medium sophistication threat actors, SolyxImmortal has been offered on an underground Telegram channel for sharing commodity malware and appears to have been developed by a Turkish-speaking threat actor.
Based on the supposed developer’s underground activity, Cyfirma believes the malware was designed for opportunistic data theft and surveillance. However, it can be easily repurposed and redistributed by other threat actors.
“From a threat landscape perspective, this sample reflects a broader trend of mid-tier threat actors leveraging readily available platforms and scripting languages to deploy effective surveillance tooling without maintaining dedicated infrastructure,” Cyfirma notes.
Related: VoidLink Linux Malware Framework Targets Cloud Environments
Related: Infostealer Malware Delivered in EmEditor Supply Chain Attack
Related: 136 NPM Packages Delivering Infostealers Downloaded 100,000 Times
Related: Widespread Infostealer Campaign Targeting macOS Users
