Technical Analysis: SolyxImmortal Python-Based Information Stealer Targeting Turkish Users
A sophisticated new threat, dubbed SolyxImmortal, has been identified as an active information stealer leveraging the Python programming language to compromise sensitive user data. The malware is engineered to exfiltrate a broad spectrum of high-value information, including browser credentials, session cookies, local documents, real-time screenshots, and keystroke logs.
By utilizing standard Python libraries and a multi-threaded execution model, SolyxImmortal can perform multiple surveillance and data-theft operations concurrently. This parallel processing architecture not only increases the efficiency of the theft but also helps the malware maintain a lower operational profile during its execution window.
According to intelligence gathered by Cyfirma and other security researchers, the campaign appears to be highly localized, specifically targeting Turkish-speaking users. The malware utilizes Discord webhooks as its primary Command and Control (C2) mechanism for data exfiltration, allowing malicious traffic to blend in with legitimate HTTPS requests.
The analyzed sample (SHA256: 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc) is remarkably compact, totaling just over 10 KB. However, its small footprint belies a complex functional scope achieved through the strategic import of built-in and third-party Python modules capable of deep OS interaction and cryptographic manipulation.

Upon initial execution, SolyxImmortal focuses on establishing persistence. It accomplishes this by masquerading as a system component, copying itself to the %APPDATA%\WindowsGraphics directory and modifying the Windows Registry via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key. This ensures the payload re-executes automatically upon every user login. After a calculated 15-second delay—likely intended to bypass simple sandbox analysis—the malware spawns multiple threads to begin its collection cycle.
Credential and Data Harvesting Mechanisms
One of the primary objectives of SolyxImmortal is the theft of browser-stored credentials. It specifically targets Chromium-based browsers (such as Google Chrome and Microsoft Edge) by accessing local SQLite databases. The malware retrieves encrypted credentials and utilizes native Windows cryptographic APIs to perform the decryption process. These stolen credentials are then saved to a local file named sifreler.txt (the Turkish word for “passwords”). Additionally, it targets Firefox users by harvesting cookie database files directly from user profile directories.
As detailed in a technical report by Pulsedive, the malware also performs recursive directory scanning to locate sensitive documents. To avoid detection and minimize footprint, it filters for specific file extensions—including .txt, .pdf, .docx, and .xlsx—and only targets files within a size range of 100 bytes to 10 MB. These files are staged in a temporary directory and compressed into an archive prior to exfiltration.
To facilitate real-time monitoring, SolyxImmortal employs a keylogger. Captured keystrokes are buffered and transmitted to the attacker’s infrastructure in JSON format every 60 seconds. This capability allows threat actors to intercept everything from private communications to real-time login attempts.
Furthermore, the malware features a trigger-based screenshot function. While it takes periodic captures, it is also programmed to trigger an immediate screenshot if the active window title contains specific keywords. Many of these keywords are Turkish-language terms related to banking and financial portals, indicating a highly targeted approach to credential harvesting.

Exfiltration and Threat Landscape
The use of Discord webhooks for exfiltration is a tactical choice designed to circumvent traditional network security monitoring. By routing stolen data through Discord’s infrastructure, the attacker’s traffic mimics legitimate user activity. The exfiltration payloads themselves frequently contain Turkish phrases, reinforcing the evidence of a localized campaign.

SolyxImmortal serves as a stark reminder of how threat actors can leverage the accessibility of Python to build modular, highly effective malware. The reliance on legitimate libraries and trusted third-party services like Discord highlights the evolving trend of “living off the land” and utilizing “gray” services to maintain stealth.
Mitigation Strategies:
- Monitor for unusual outbound HTTPS traffic, particularly to Discord API endpoints.
- Implement Endpoint Detection and Response (EDR) solutions capable of identifying suspicious Python script behavior.
- Restrict the execution of unapproved scripting environments (like Python) on sensitive workstations.
- Monitor registry modifications within the
Runkeys for unauthorized entries.