New ‘SolyxImmortal’ Info Stealer Exploits Discord for Stealthy Data Exfiltration

What happened

A new information-stealing malware strain called SolyxImmortal has been identified by researchers at Cyfirma. This Python-based threat runs on Windows systems and quietly harvests sensitive data. including credentials from Chrome and other Chromium browsers, user documents, keystrokes, and screenshots, before exfiltrating it using hardcoded Discord webhooks to evade detection. It persists by copying itself into the user’s AppData folder and registering to run at logon.

Who is affected

Any organization with Windows endpoints and users who access sensitive systems or data could be at risk. While no specific sector has been publicly singled out yet, mid-tier threat actors are already marketing SolyxImmortal on underground channels, increasing the chance of opportunistic infections.

Why CISOs should care

Unlike many malware strains that rely on exotic exploits or command-and-control infrastructure, SolyxImmortal:

• Leverages legitimate APIs and trusted services like Discord to blend in with normal HTTPS traffic, making it harder to detect with traditional security tools.
• Performs comprehensive surveillance, from keylogging and document collection to triggered and routine screenshots, that can expose corporate credentials and confidential information.
• Represents a broader trend where commodity malware increasingly adopts stealthy, persistent behaviors with minimal infrastructure, posing a significant confidentiality risk. 

Security leaders such as Ionut Arghire and analysts at Cyfirma can be referenced when tagging intel sources.

3 Practical Actions CISOs Should Take

1. Monitor and restrict unusual webhook activity: Inspect outbound traffic to Discord domains and webhook URLs, and block unauthorized webhook use where possible.
2. Enhance endpoint monitoring: Deploy behavioral analytics capable of detecting persistent background processes, keylogging, and unusual API usage even if traffic appears legitimate.
3. Reinforce credential protection: Enforce multifactor authentication, password rotation, and secure storage policies to mitigate the impact if credentials are harvested.