Technical analysis shows the malware is designed to operate quietly on compromised machines, using common Python libraries, Windows features and multi-threaded execution to run several data-collection functions at the same time. Its targets include saved browser passwords, cookies, text files, PDFs, Word documents, Excel files, screenshots and keyboard input, making it a broad surveillance tool rather than a narrow credential grabber.
The malware has been observed as a Windows-focused Python file known as Lethalcompany. py, with a size of just over 10 KB and a first-seen date in January 2026. Its compact size contrasts with the range of functions built into its code. Once launched, it establishes persistence, stages stolen data in temporary folders, compresses the material and sends it to attacker-controlled channels through Discord webhooks.
SolyxImmortal does not appear to rely on administrator privileges, zero-day exploits or self-spreading functions. That design is significant because it lowers the barrier for attackers and increases risk to individual users, small businesses and lightly monitored enterprise endpoints. The malware copies itself into a folder under the user’s AppData path and creates a registry Run key so that it restarts when the user logs back into Windows.
Its browser-theft module focuses on Chromium-based browsers such as Chrome, Edge and Brave. The malware looks for browser profile paths, extracts the master encryption key from the Local State file and uses Windows cryptographic functions to decrypt stored login entries. Credentials are then gathered in readable form before being prepared for exfiltration.
The malware also targets Firefox cookies by copying the browser’s cookies database where available. Session cookies have become a prized asset for cybercriminals because they can, in some circumstances, help attackers bypass normal login checks and multi-factor authentication. That makes cookie theft particularly dangerous for email, cloud services, banking portals and workplace collaboration tools.
Document harvesting is another part of SolyxImmortal’s value to attackers. The malware walks through the user’s home directory while excluding some system-heavy paths such as AppData, Windows, Program Files and temporary folders. It looks for files including. txt,. pdf,. docx and. xlsx formats, with file-size filters intended to collect usable documents while avoiding large or irrelevant material.
The surveillance functions deepen the risk. A keylogger records typed input and sends captured keystrokes at fixed intervals. Screen capture is triggered both by timing and by active-window keywords linked to logins, Gmail and banking activity. The presence of Turkish words in messages and keyword logic suggests a Turkish-language element in the malware’s development or operational use, although such code can be reused, modified or redistributed by other actors.
The use of Discord webhooks reflects a wider pattern in commodity cybercrime. Instead of maintaining dedicated command-and-control infrastructure, attackers abuse legitimate web services that are widely allowed across networks. This can reduce suspicion in traffic logs and complicate blocking decisions for organisations that use popular collaboration platforms.
The threat fits a broader shift towards identity-led cyberattacks. Infostealers have become a key source of passwords, session cookies and other authentication artefacts traded in underground markets. Such data can feed account takeover, fraud, corporate espionage and ransomware activity. Even when a malware infection is removed, stolen cookies, saved passwords and exposed documents can continue to create risk unless accounts are reset and active sessions are revoked.
For companies, SolyxImmortal underlines the weakness of relying only on password resets after a suspected stealer infection. Remediation must include browser session invalidation, token revocation, endpoint isolation, forensic review, password manager audits and checks for unauthorised mailbox or cloud-account rules. Security teams also need visibility into outbound traffic to webhooks and file-sharing services, especially where compressed archives are being sent from user endpoints.
Users face practical exposure because the malware can harvest data from ordinary browsing and document storage habits. Saving passwords in browsers, reusing credentials, downloading unverified files and running unknown scripts all increase the impact of an infection. Passkeys, hardware-backed authentication, endpoint protection, application control and regular browser updates can reduce the attack surface, but they do not remove the need for careful handling of downloads and attachments.
SolyxImmortal’s importance lies less in technical novelty than in operational efficiency. It shows how a small Python implant can assemble readily available libraries into a persistent surveillance tool capable of stealing credentials, monitoring activity and exporting selected files without sophisticated infrastructure. That combination makes it useful to lower-tier cybercriminals while still posing a serious risk to individuals and organisations that lack layered endpoint monitoring.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
