SolyxImmortal
SolyxImmortal is a Python-based Windows information-stealing malware and persistent surveillance implant. Reported capabilities include theft of saved credentials from Chromium-based browsers such as Chrome, Edge, Brave, and Opera GX; collection of Firefox cookies; harvesting of local files including .txt, .pdf, .docx, and .xlsx documents from the user home directory; keystroke logging; and screenshot capture. It uses multithreading to run collection, keylogging, and screenshot functions in parallel.
The malware establishes persistence by copying itself to %APPDATA%\WindowsGraphics\win_gfx_driver.exe, setting the file attributes to hidden/system, and creating a Run key under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with the value name WindowsGfxDriver. Reporting also states it may be distributed as a legitimate-looking Python script named "Lethalcompany.py." Stolen data is staged in the TEMP directory, including a folder named Solyx_Pack_Final, browser credentials written to sifreler.txt, and a ZIP archive named Solyx_Final_Data.zip before exfiltration.
Browser credential theft is described as using Local State decryption keys, Windows DPAPI/win32crypt, and AES/AES-GCM to recover stored Chromium passwords from SQLite databases. Firefox cookie databases are copied from profile paths for collection. The malware logs keystrokes continuously and reportedly sends buffered keystrokes every 60 seconds. It captures routine screenshots every two minutes and can take immediate screenshots when active window titles match hardcoded keywords associated with banking, Gmail, sign-in pages, and crypto-wallet activity.
Multiple reports cited in the content state that SolyxImmortal exfiltrates stolen data through attacker-controlled Discord webhooks, including separate handling for logs/files and screenshots, using Python requests over Discord's web API. The analyzed sample reportedly lacked populated webhook values, but earlier reporting cited live variants using real Discord endpoints. Turkish-language strings and keyword logic in the code suggest a likely focus on Turkish-speaking victims or Turkish websites, and some reporting assesses a possible Turkish-speaking threat actor link. The malware is characterized as an opportunistic, low-to-medium sophistication stealer emphasizing stealth, persistence, and long-term surveillance rather than destructive activity.
Known indicators and artifacts directly mentioned in the content include SHA256 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc, SHA1 81c66c043982cfee9e60ae94203f4336da0b50c0, MD5 2690f7c685784fff006fe451fa3b154c, persistence path %APPDATA%\WindowsGraphics\win_gfx_driver.exe, Run key value WindowsGfxDriver, staging folder Solyx_Pack_Final, credential file sifreler.txt, screenshot file alert.png, and archive Solyx_Final_Data.zip.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueTraining users to spot phishing emails and suspicious attachments remains one of the most reliable defenses against malware that depends on user interaction to gain its initial foothold.
Execution
2 techniquesPersistence
1 techniquePrivilege Escalation
1 techniqueStealth
4 techniquesThe Python script imports 15 different modules to expand its functionality... base64 Used to decode base64 content.
It saves itself as win_gfx_driver.exe and sets its file attributes to hidden and system... The registry key it creates, named WindowsGfxDriver, sounds like a legitimate Windows component.
It saves itself as win_gfx_driver.exe and sets its file attributes to hidden and system, making it invisible during standard file browsing.
The script starts by adding persistence by copying itself to the APPDATA folder and modifying the Run registry to execute the script from %APPDATA%\WindowsGraphics wherever the user logs in.
Credential Access
5 techniquesThe keylogger runs in a separate thread and records every keystroke the user makes. Every 60 seconds, the collected keystrokes are packaged as a JSON blob and sent to the attacker.
Beyond passwords, the malware also grabs Firefox cookies by copying the browser’s cookie database directly to a staging folder.
SolyxImmortal is a Python-based information stealer that targets sensitive files, credentials from Chromium-based browsers, and keystrokes.
It pulls saved passwords from Chromium-based browsers such as Chrome, Edge, Brave, and OperaGX by reading their local databases and decrypting stored credentials using AES decryption.
Then the malware attempts to extract passwords from Chromium-based browsers. This is done by extracting decryption keys from the Local State file for each browser of interest before copying the login data file.
Discovery
1 techniqueIt iteratively walks the file system starting from the user’s home directory and excludes certain paths, such as AppData, Windows, Program Files, and Temp.
Collection
5 techniquesIt then walks the user’s home directory looking for documents in .txt, .pdf, .docx, and .xlsx formats.
The keylogger runs in a separate thread and records every keystroke the user makes. Every 60 seconds, the collected keystrokes are packaged as a JSON blob and sent to the attacker.
The screen capture function works in two modes: routine screenshots every two minutes, and immediate screenshots triggered when a sensitive keyword appears in the title of the active window.
Files between 100 bytes and 10 MB are copied and bundled into a zip archive named Solyx_Final_Data.zip before being uploaded to Discord.
Before exfiltrating the staged data, the staging folder is compressed and saved in the TEMP folder as Solyx_Final_Data.zip.
Command and Control
2 techniquesIf a file is specified, it is sent as part of the POST request; otherwise, the content is sent as a JSON blob.
Public reporting from Cyfirma indicates that the malware exfiltrates data via Discord webhooks.
Exfiltration
2 techniquesThe malware leverages Discord webhooks as its data exfiltration channel... Data leaves the infected machine through Discord’s own web API using Python’s requests library, blending malicious traffic with normal web activity.
Public reporting from Cyfirma indicates that the malware exfiltrates data via Discord webhooks.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Python-based Windows malware that establishes persistence, steals saved browser passwords and Firefox cookies, collects sensitive documents, captures screenshots based on Turkish banking/login-related keywords, logs keystrokes, and exfiltrates stolen data to attacker-controlled Discord webhooks.
Python-based Windows info stealer that establishes persistence via APPDATA copy and Run key modification, steals browser credentials and cookies, collects documents, logs keystrokes, captures screenshots, and exfiltrates stolen data through Discord webhooks.
Python-based stealer that establishes persistence via the Run registry key, steals Chromium browser credentials, copies Firefox cookies, collects documents, captures screenshots, logs keystrokes, stages data in ZIP archives, and exfiltrates via Discord webhooks. The content indicates it specifically used Turkish-language keywords and messages, suggesting targeting of Turkish speakers or Turkish sites.
Information-stealing malware that performs stealthy surveillance and data theft, including harvesting Chrome/Chromium-based browser credentials and documents from the user home directory, staging them in a temporary directory, compressing and exfiltrating them (via Discord webhooks), and then deleting temporary artifacts.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.