Discord Spy: SolyxImmortal Malware Uses Webhooks for Stealthy Theft

A newly identified Python-based malware, SolyxImmortal, is making the rounds in underground channels, offering a “monolithic” surveillance tool that prioritizes persistence over destruction. In a new analysis, researchers at CYFIRMA detail how this info-stealer leverages legitimate platforms like Discord to silently harvest sensitive data while hiding in plain sight.

Unlike modular malware that downloads components as needed, SolyxImmortal arrives as a single, self-contained package. Once executed, it digs in for the long haul.

“SolyxImmortal is a Python-based Windows information-stealing malware that combines credential theft, document harvesting, keystroke logging, screen surveillance, and persistence into a single, continuously running implant,” the report explains.

The malware’s design philosophy is clear: stay quiet and stay persistent. “Its design emphasizes stealth, reliability, and long-term access rather than rapid execution or destructive behaviour,” operating entirely in user space to avoid triggering high-level security alarms.

One of the malware’s most notable features is its reliance on Discord for its command-and-control (C2) infrastructure. By using hardcoded webhooks, SolyxImmortal essentially “lives off the land,” using trusted traffic to exfiltrate stolen goods.

“The malware statically embeds all command-and-control parameters within the source code… The inclusion of a hardcoded Discord user ID enables direct operator mentions, ensuring that high-value events generate immediate notifications.”

This setup allows operators to receive real-time alerts for specific triggers, such as when a victim visits a banking site or types a password. The malware uses two distinct webhooks: one for files and logs, and another specifically for screenshots.

Once established, SolyxImmortal begins a comprehensive data harvesting operation. It targets:

• Browser Data: Decrypting credentials from Chrome, Edge, Brave, and Opera GX using Windows DPAPI.
• Keystrokes: Logging every key press into an in-memory buffer that is periodically flushed to the attacker.
• Screenshots: capturing the user’s screen both at regular intervals and when specific keywords (like “login” or “bank”) are detected in window titles.
• Documents: Scouring the user’s home directory for files with extensions like .txt, .pdf, and .docx, while filtering out files larger than 10MB to avoid detection.

Despite its capabilities, SolyxImmortal appears to be the work of mid-tier actors rather than a state-sponsored APT. The report notes that the malware was initially distributed via an underground Telegram channel known for sharing commodity tools.

“The combination of Telegram-based distribution, Discord-centric infrastructure abuse, and hacktivist community overlap suggests that this malware is likely intended for opportunistic data theft and surveillance rather than targeted, financially motivated campaigns.”

Interestingly, code analysis points to a specific geographic origin. “Further analysis of the malware’s codebase reveals several linguistic, structural, and operational characteristics that suggest a potential link to a Turkish-speaking threat actor,” assessed with medium confidence.

SolyxImmortal represents a growing trend of “accessible” surveillance tools that lower the barrier to entry for cybercriminals. While it may lack the sophistication of advanced nation-state malware, its ability to persist and silently exfiltrate data makes it a credible risk for individuals and small organizations.

Related Posts:

• Stealth C2: Hackers Abuse Discord Webhooks for Covert Data Exfiltration in npm, PyPI, and RubyGems Supply Chain Attacks
• CVE-2025-23171 & CVE-2025-23172: Versa Director Bugs Open Doors to Webshell Uploads and Command Execution
• DoS Flaws in Argo CD: Unauthenticated Attackers Can Crash Kubernetes Server with Single Request
• StealC V2: ThreatLabz Unveils the Evolution of a Stealthy Info-Stealer and Malware Loader