SolyxImmortal Info Stealer Exploits Systems via Discord

Security researchers recently discovered a highly dangerous new asset targeting worldwide internet users. Specifically, the SolyxImmortal info stealer actively pillages sensitive data from compromised Windows operating systems. This specific malicious tool targets local text files, web browsers, and live keystrokes. Additionally, the malware leverages existing Python libraries to extend its harmful capabilities significantly.

Analyzing the Malware Execution Flow

To begin, the malicious script first establishes persistent access on the victim’s device. According to the technical report from Pulsedive Threat Research, “The script starts by adding persistence by copying itself to the APPDATA folder”. Subsequently, it modifies the Windows registry Run key to ensure execution during every system startup. It saves itself as a hidden system file named win_gfx_driver.exe inside a custom directory. Therefore, the malware easily survives system reboots without alerting the casual user.

Comprehensive Data Harvesting Capabilities

Furthermore, the SolyxImmortal info stealer targets sensitive credentials stored inside popular Chromium-based web browsers. To achieve this, it extracts local decryption keys to unlock saved user passwords. The script then interacts with an underlying sqlite3 database to gather usernames and website URLs. Ultimately, “The malware writes the data to a file named sifreler.txt” inside a temporary staging folder. Beyond these browsers, it also copies database files containing cookies from Mozilla Firefox profiles.

Targeted File Exfiltration

Additionally, the script carefully searches the local hard drive for specific documents of interest. It iteratively scans the user’s home directory while skipping common system configuration folders. Specifically, the threat targets text files, Word documents, Excel sheets, and PDF files. However, it only targets files between 100 bytes and 10 megabytes in size. This specific size limitation helps the malware avoid large system files during data collection.

Continuous Keylogging and Screen Capture

Beyond file theft, the software actively records live user keystrokes every single second. Meanwhile, a parallel thread captures regular routine screenshots of the active desktop environment. Interestingly, the threat takes ad-hoc screenshots when the active window title matches specific keywords. These predefined terms target sensitive pages like banking applications, crypto wallets, and Gmail accounts. Consequently, the attackers gain complete visibility into user activities.

Language Clues and Discord Webhooks

Surprisingly, the configuration file utilizes several Turkish words within its core functions. Therefore, this linguistic pattern strongly indicates that the threat actors primarily target Turkish-speaking audiences. For data delivery, the malware relies on popular chat platform infrastructure to send harvested packs. Specifically, “Public reporting from Cyfirma indicates that the malware exfiltrates data via Discord webhooks.” This technique allows the stolen information to blend seamlessly with legitimate internet traffic.

Strategies for Effective Endpoint Defense

In conclusion, this Python-based threat represents a highly adaptable tool for modern cybercriminals. Consequently, users must keep their endpoint security systems updated to detect suspicious script behavior. Monitoring unauthorized registry modifications can also effectively prevent initial execution. Ultimately, staying vigilant against unknown files remains the best defense.