Threat researchers reported a new Python-based Windows information-stealing malware dubbed SolyxImmortal that emphasizes stealth and long-term persistence over destructive actions. The implant is described as a “monolithic” package (not modular), delivered as a legitimate-looking Python script (e.g., Lethalcompany.py), and runs quietly in the background to harvest sensitive data including credentials, documents, keystrokes, and screenshots.
SolyxImmortal’s command-and-control and exfiltration model relies on Discord webhooks, abusing trusted HTTPS traffic to blend in and reduce network-based detection. Reporting attributes the analysis to CYFIRMA, noting that C2 parameters are hardcoded and that operators can receive real-time notifications (including via a hardcoded Discord user ID) for high-value events; separate webhooks may be used for different data types (e.g., logs/files vs. screenshots). The malware targets browser-stored data (including Chromium-based browsers such as Chrome, Edge, Brave, and Opera GX) and focuses on single-host surveillance rather than lateral movement.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
By January 20, 2026, CYFIRMA had analyzed SolyxImmortal's behavior, including persistence via a hidden AppData copy and Registry Run key, credential theft from Chromium-based browsers, keylogging, screenshot capture, document harvesting, and exfiltration through hardcoded Discord webhooks. The researchers assessed it as a commodity or mid-tier threat, with medium-confidence indications of a Turkish-speaking author.
CYFIRMA reported that the Python-based Windows infostealer SolyxImmortal emerged in January 2026 and was being circulated in underground and Telegram-linked channels as a stealth-focused surveillance tool.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcesecurityonline.info
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.