CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 02, 2026

SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes

Cybersecurity News Archived Jun 02, 2026 ✓ Full text saved

A new Python-based malware called SolyxImmortal has been found quietly stealing browser passwords, cookies, sensitive files, and keystrokes from infected Windows systems. The malware uses well-known Python libraries and multi-threading to carry out its operations simultaneously, making it harder to detect while it runs in the background. What makes SolyxImmortal stand out is its apparent […] The post SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes appeared f

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News SolyxImmortal Python Malware Steals Browser Passwords, Cookies, Files, and Keystrokes By Tushar Subhra Dutta June 2, 2026 A new Python-based malware called SolyxImmortal has been found quietly stealing browser passwords, cookies, sensitive files, and keystrokes from infected Windows systems. The malware uses well-known Python libraries and multi-threading to carry out its operations simultaneously, making it harder to detect while it runs in the background. What makes SolyxImmortal stand out is its apparent focus on Turkish-speaking users. The malware contains several Turkish keywords baked into its code, including words tied to banking sites, Gmail logins, and sign-in pages. These keywords trigger targeted screenshot capture whenever the active window title matches one of them, suggesting the author had a very specific audience in mind. Researchers at Pulsedive said in a report shared with Cyber Security News (CSN) that the malware leverages Discord webhooks as its data exfiltration channel. Once it collects stolen information, the malware packages and sends everything directly to an attacker-controlled Discord channel, tagging a predefined user ID when the data arrives. The malware first surfaced in public threat databases, with its sample available on Malware Bazaar. While the analyzed sample did not include active webhook URLs, earlier public reporting from Cyfirma revealed that the live version pointed to real Discord endpoints. Discord Webhooks (Source – Pulsedive) The file itself is a small Python script, just over 10,000 bytes, yet it is capable of causing significant harm to anyone it infects. Once on a system, SolyxImmortal wastes no time establishing its presence. It copies itself into the APPDATA folder, disguises itself as a Windows graphics driver file, and sets a registry key to run every time the user logs in. This approach guarantees the malware stays active across reboots without any further action from the attacker. SolyxImmortal Python Malware The malware targets a wide range of data from the moment it runs. It pulls saved passwords from Chromium-based browsers such as Chrome, Edge, Brave, and OperaGX by reading their local databases and decrypting stored credentials using AES decryption. All stolen credentials are saved in a file called sifreler.txt, which means “passwords” in Turkish. Beyond passwords, the malware also grabs Firefox cookies by copying the browser’s cookie database directly to a staging folder. It then walks the user’s home directory looking for documents in .txt, .pdf, .docx, and .xlsx formats. Files between 100 bytes and 10 MB are copied and bundled into a zip archive named Solyx_Final_Data.zip before being uploaded to Discord. The keylogger runs in a separate thread and records every keystroke the user makes. Every 60 seconds, the collected keystrokes are packaged as a JSON blob and sent to the attacker. The screen capture function works in two modes: routine screenshots every two minutes, and immediate screenshots triggered when a sensitive keyword appears in the title of the active window. How SolyxImmortal Stays Hidden and Sends Data Out The malware uses several tricks to avoid detection. It saves itself as win_gfx_driver.exe and sets its file attributes to hidden and system, making it invisible during standard file browsing. The registry key it creates, named WindowsGfxDriver, sounds like a legitimate Windows component and may easily be overlooked during a routine system check. Example of data keystrokes exfiltrated as JSON blobs to Discord (Source – Pulsedive) Data leaves the infected machine through Discord’s own web API using Python’s requests library, blending malicious traffic with normal web activity. Using a popular platform like Discord as a command channel is a growing trend in malware because it is rarely blocked by firewalls and looks like regular user traffic. Security teams and organizations can take practical steps to lower their risk. Deploying endpoint detection and response tools helps flag unusual process behavior that may signal an infection. Restricting Python execution to users who genuinely need it reduces the attack surface. Training users to spot phishing emails and suspicious attachments remains one of the most reliable defenses against malware that depends on user interaction to gain its initial foothold. Indicators of Compromise (IoCs):- Type Indicator Description SHA256 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc SolyxImmortal Python malware sample hash SHA1 81c66c043982cfee9e60ae94203f4336da0b50c0 SolyxImmortal Python malware sample hash MD5 2690f7c685784fff006fe451fa3b154c SolyxImmortal Python malware sample hash ssdeep 192:A2maqyDhNc90rNsS21W3g/+/X/WqWUC6Dh:A2dV1NcQUZa Fuzzy hash for SolyxImmortal sample File Name win_gfx_driver.exe Malware persistence copy in APPDATA folder File Name sifreler.txt Stolen browser credentials staging file (Turkish for “passwords”) File Name Solyx_Pack_Final Staging folder in TEMP directory File Name Solyx_Final_Data.zip Compressed archive of stolen data for exfiltration File Name alert.png Screenshot saved when a critical keyword window is detected Registry Key HKCU\Software\Microsoft\Windows\CurrentVersion\Run Persistence registry key value: WindowsGfxDriver File Path %APPDATA%\WindowsGraphics\win_gfx_driver.exe Full path of the malware’s persistence copy Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News New Linux CIFSwitch Kernel Vulnerability Allows Attackers to Gain Root Access New Zapocalypse Attack Chain Enables Full Zapier Account Takeover New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection How Tier 1 Can Process Alerts 3x Faster with Threat Intelligence Google Employee Charged for Making $1.2 Million With Confidential Information Latest News Cyber Security News TP-Link Router Vulnerability Allows Attackers to Execute Arbitrary System Commands Cyber Security News Claude Code’s GitHub Actions Vulnerability Lets Attackers Compromise Any Repository Cyber Security News Hackers Deploy AZUREVEIL Adaptix C2 Agent via Spearphishing Campaign API Web App and API Attacks are Rising: Are You Blind to AI Web Attacks? Join Free WAAP Security Webinar  Cyber Security News PHANTOMPULSE RAT Uses Process Injection and UAC Bypass to Compromise Windows Systems
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    Jun 02, 2026
    Archived
    Jun 02, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗