A recent Pulsedive analysis of SolyxImmortal is a useful reminder that many modern credential-theft campaigns do not need exotic tradecraft to be dangerous. This malware is a Python-based information stealer that combines persistence, browser credential theft, document collection, screenshot capture, keylogging, and webhook-based exfiltration into one compact workflow.
For small businesses and government contractors, the important lesson is not just “watch for this one malware family.” The bigger issue is that scripting languages, browser password stores, cloud chat services, and weak endpoint controls can give attackers a fast path from one user mistake to usable credentials and sensitive files.
What was reported
Pulsedive analyzed a SolyxImmortal sample that establishes user-level persistence by copying itself into the user profile and adding a Windows Run key. After startup, it stages collected data in a temporary folder, pulls credentials from Chromium-based browser databases, copies Firefox cookie data when available, and searches the user’s home directory for files such as PDFs, Word documents, spreadsheets, and text files.
The malware also runs keylogging and screenshot routines. Screenshots can be taken on a timer or triggered when active window titles match sensitive keywords associated with email, banking, or account access. Public reporting referenced by Pulsedive indicates that exfiltration is handled through Discord webhooks, letting stolen data move through infrastructure that may appear normal in many environments.
Why this matters
SolyxImmortal is not a headline-grabbing zero-day. That is exactly why defenders should pay attention. It shows how commodity-style malware can still create serious business impact by chaining together basic but effective capabilities:
- Browser-stored credentials become a primary target. If users store business passwords in unmanaged browsers, malware on the endpoint can attempt to recover them.
- Documents are treated as loot. Contract files, invoices, proposals, customer records, and internal notes can be swept up automatically.
- Keylogging defeats “good password hygiene.” Even strong passwords can be captured when typed into a compromised endpoint.
- Webhook exfiltration blends into normal traffic. Chat and collaboration platforms are commonly allowed outbound, so defenders need visibility beyond simple domain allowlists.
Defensive takeaways for SMBs and contractors
1. Treat Python and scripting runtimes as controlled software
If most users do not need Python, PowerShell scripts, or unsigned interpreters for daily work, restrict execution through application control, endpoint policy, or least-privilege software management. Developer and admin workstations can have exceptions, but those exceptions should be intentional and monitored.
2. Move credentials out of unmanaged browser storage
Use a managed password manager, enforce MFA, and disable browser password saving where practical. Browser storage is convenient, but it is also a predictable target for infostealers.
3. Monitor persistence locations
Alert on suspicious additions to HKCU\Software\Microsoft\Windows\CurrentVersion\Run, unexpected executables under user profile paths, and new hidden folders in roaming application data. User-level persistence is common because it avoids needing administrator rights.
4. Watch for unusual outbound webhook behavior
Discord, Slack, Teams, Telegram, and similar services may be legitimate in some organizations, but endpoint-to-webhook file uploads should be reviewed. Network controls should distinguish normal collaboration usage from scripts or unknown binaries posting archives to webhook endpoints.
5. Reduce the blast radius of a single workstation compromise
Use least privilege, conditional access, device compliance checks, and rapid credential revocation procedures. If one endpoint is infected, the goal is to prevent stolen credentials from becoming VPN access, cloud console access, or privileged lateral movement.
Bulwark Black assessment
SolyxImmortal sits in the practical middle of the threat landscape: not sophisticated enough to require nation-state resources, but capable enough to create real incident response pain. Its value to attackers comes from collecting the exact data most organizations struggle to protect at the endpoint layer: saved passwords, cookies, sensitive files, screenshots, and typed secrets.
For defenders, the right response is layered: endpoint detection, scripting restrictions, managed credentials, outbound traffic review, and user training around unsolicited downloads. None of those controls are perfect alone. Together, they make this kind of infostealer much harder to run quietly.
Original source: Pulsedive Threat Research — SolyxImmortal: Analysis of a Python-based Information Stealer
