SolyxImmortal: The Silent Stealer Hijacking Credentials, Sessions, and Screens in Plain Sight

Aegiron 11 mins0

SolyxImmortal Stealer

Disclosure timeframe: January 2026
Malware type: Information-stealing malware (credential and session hijacking)

Executive Summary

SolyxImmortal is a newly identified information-stealing malware designed to silently harvest credentials, browser session tokens, keystrokes, screenshots, and user documents from Windows systems. It operates entirely in user space, requires no administrative privileges, and relies on social engineering rather than software exploits for initial access.

Once executed, the malware establishes persistence, runs continuously in the background, and exfiltrates stolen data to attacker-controlled webhooks hosted on Discord. The design prioritizes stealth, resilience, and ease of deployment, making it suitable for opportunistic credential theft and account takeover operations.

There is no evidence at this time that SolyxImmortal was used in a targeted enterprise intrusion campaign; however, its capabilities make it dangerous in corporate environments where browser-based authentication, cloud services, and single sign-on are heavily used.

What Happened

SolyxImmortal was observed circulating in underground messaging channels where commodity malware and “stealer” tools are shared and sold. The malware is distributed as a Python script that is commonly packaged into a Windows executable to appear legitimate and easier to run by victims.

The infection requires the user to execute the file. There is no exploitation of operating system or application vulnerabilities. Once run, the malware installs itself in the user profile, ensures it runs at every login, and begins harvesting data immediately.

How It Happened

  • Primary vector: Social engineering
    • Malicious attachments
    • Trojanized tools or cracked software
    • Shared scripts or executables presented as legitimate utilities
  • No exploit usage:
    The malware does not leverage vulnerabilities, macros, or privilege escalation.
  • Execution context:
    Runs under the current user account with standard privileges.

This makes SolyxImmortal particularly effective against environments without application allow-listing or strong endpoint execution controls.

Malware Architecture and Payload Overview

SolyxImmortal is implemented as a single monolithic Python-based implant that manages multiple background tasks through internal threads. It does not drop secondary payloads, loaders, or additional executables.

Observed payload components:

  • Credential harvesting module
  • Browser session and cookie theft
  • Keylogging engine
  • Screenshot capture engine
  • File discovery and collection logic
  • Compression and staging logic
  • Network exfiltration client
  • Persistence mechanism

Detailed Technical Behavior

1. Execution and Persistence

  • The malware copies itself into a hidden directory under a user-writable location such as: %AppData% %LocalAppData%
  • File attributes are often modified to appear hidden or system-related.
  • Persistence is achieved by adding an autorun entry under: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • No administrative permissions are required.

2. Credential Theft (Browser-Based)

SolyxImmortal targets Chromium-based browsers, including Chrome, Edge, Brave, and others.

It performs the following steps:

  1. Locates browser profile directories.
  2. Reads the Local State file to extract the encrypted master key.
  3. Uses Windows DPAPI to decrypt the master key.
  4. Opens browser SQLite credential databases.
  5. Decrypts stored usernames and passwords using AES-GCM.
  6. Stores recovered credentials in memory for exfiltration.

This allows attackers to recover plaintext passwords saved in browsers.

3. Session Token and Cookie Theft

Beyond passwords, the malware extracts:

  • Browser cookies
  • Active session tokens
  • Authentication artifacts that allow session hijacking

This enables attackers to access accounts without knowing the password, even if MFA is enabled, until the session is revoked.

4. Keystroke Logging

  • Implements a persistent keyboard hook.
  • Captures all keystrokes entered by the user.
  • Normalizes special keys for readability.
  • Buffers keystrokes and sends them periodically to reduce network noise.

5. Screenshot Capture

  • Continuously monitors the active foreground window title.
  • When keywords related to authentication or sensitive activity are detected, it captures screenshots.
  • Also performs periodic screenshots regardless of activity.
  • Screenshots are exfiltrated immediately using a dedicated channel.

6. Document and File Harvesting

  • Recursively scans the user profile directory.
  • Filters files based on extension and size.
  • Copies selected files into a temporary staging directory.
  • Compresses the data into archive files for upload.

7. Data Exfiltration

  • Uses HTTPS POST requests to attacker-controlled Discord webhooks.
  • Separate webhook endpoints are typically used for:
    • Structured data (credentials, logs, archives)
    • Screenshot uploads
  • Traffic appears as normal encrypted HTTPS traffic to a well-known cloud service, reducing detection likelihood.

8. Cleanup and Stealth

  • Temporary staging files and archives are deleted after upload.
  • The malware remains persistent and continues monitoring.
  • Error handling ensures the process continues even if some components fail.

Impacted Systems and Likely Victims

  • Primary targets:
    • Individual users
    • Small businesses
    • Contractors and freelancers
  • Enterprise risk:
    • Corporate credentials
    • Cloud service access
    • VPN and SSO sessions
    • Administrative browser sessions

There is no industry-specific targeting; risk is determined by user behavior and execution, not organizational profile.

Vulnerabilities Exploited

  • None
  • SolyxImmortal relies entirely on:
    • User execution
    • Legitimate OS APIs
    • Standard cryptographic and browser behaviors

Known Indicators of Compromise (IOCs)

File-Based IOCs

  • Observed filename Lethalcompany.py
  • MD5 2690f7c685784fff006fe451fa3b154c
  • SHA-256 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc

File System Artifacts

Suspicious locations:

%AppData%\*
%LocalAppData%\*
%Temp%\*
%UserProfile%\*

Indicators:

  • Executables running from user directories
  • Hidden folders with recent creation timestamps
  • Short-lived archive files

Registry Persistence IOCs

Key:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Indicators:

  • New values pointing to user-writable paths
  • Generic or misleading value names

Network Indicators

  • HTTPS POST requests to: discord.com/api/webhooks/ cdn.discordapp.com
  • Background processes initiating outbound connections without user interaction

High-Confidence Behavioral Indicators

  • Non-browser processes accessing:
    • Browser credential databases
    • Local State files
  • Use of DPAPI functions by unexpected processes
  • Silent screenshot creation
  • Keyboard hooks in non-input software
  • Archive creation followed by immediate outbound traffic

EDR Hunting Queries

1. Execution from User-Writable Paths

ProcessStart
WHERE ImagePath CONTAINS "\AppData\" OR "\Temp\"
AND FileExtension IN (".exe", ".py", ".bat")

2. Registry Run Key Persistence

RegistryModification
WHERE RegistryKey CONTAINS "CurrentVersion\Run"
AND RegistryValueData CONTAINS "\AppData\" OR "\Temp\"

3. Browser Credential Database Access

FileAccess
WHERE FileName IN ("Login Data", "Local State")
AND ProcessName NOT IN ("chrome.exe", "msedge.exe", "brave.exe")

4. DPAPI Abuse

API_Call
WHERE ApiName IN ("CryptUnprotectData", "CryptProtectData")
AND ProcessName NOT IN known_browser_processes

5. Screenshot Capture

FileCreate
WHERE FileExtension IN (".png", ".jpg")
AND ProcessHasNoVisibleWindow = true

6. Keylogging Behavior

API_Call
WHERE ApiName IN ("SetWindowsHookEx", "GetAsyncKeyState")
AND ProcessCategory NOT IN ("Accessibility", "InputDevice")

7. Archive Creation + Exfiltration

FileCreate (Archive)
FOLLOWED BY NetworkConnection (HTTPS POST)
WITHIN 60 seconds
FROM same ProcessId

8. Discord Webhook Exfiltration

NetworkConnection
WHERE HttpMethod = "POST"
AND DestinationDomain CONTAINS "discord"
AND ProcessName NOT IN approved_applications

Incident Response Priorities

  1. Isolate the affected endpoint immediately
  2. Disable the impacted user account
  3. Revoke all active sessions and tokens (SSO, VPN, cloud apps)
  4. Collect forensic artifacts (memory, registry, user directories)
  5. Force password resets for all affected credentials
  6. Assume session hijack until proven otherwise

Defender Takeaways

  • No exploit required; user execution is the root cause
  • Browser session theft makes MFA insufficient without token revocation
  • Behavior-based EDR detection is critical
  • Cloud webhook abuse should be monitored closely
  • Application allow-listing significantly reduces risk

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.