A notable development in information-breaching malware that targets Windows systems is SolyxImmortal.

This Python-based malware is intended for long-term monitoring rather than destructive activities, combining several data theft capabilities into a single, permanent implant.

Through the use of Discord webhooks, the virus stealthily gathers credentials, documents, keystrokes, and screenshots while transmitting the stolen data straight to attackers.

Its appearance in January 2026 signifies a change to more covert operating approaches that put ongoing surveillance ahead of quick exploitation.

The attack vector focuses on spreading the malware to target systems in the guise of a legitimate-looking Python script called “Lethalcompany.py.”

SolyxImmortal initiates background surveillance threads and establishes persistence through various means as soon as it is executed.

The malware only concentrates on gathering data from a single hacked device; it neither propagates itself nor spreads laterally.

Attackers can maintain long-term visibility into user activities without drawing attention due to this targeted strategy.

SolyxImmortal is a clever threat that uses trusted platforms and valid Windows APIs for command-and-control communication, according to Cyfirma analysts.

Operational maturity is reflected in the malware’s architecture, which prioritizes stealth and dependability over complexity.

Attackers take use of the platform’s reputation and HTTPS encryption to evade network-based detection by using Discord webhooks for data delivery.

This method shows how threat actors are increasingly using trustworthy services to conceal malicious behavior.

By copying itself to a hidden area inside the AppData directory and renaming it to look like a genuine Windows component, the virus creates persistence.

Then, without requiring administrator credentials, it registers itself in the Windows registry Run key, guaranteeing automatic execution upon each user login.

This method ensures that the system will continue to function even after it has restarted.

By gaining access to their profile directories, SolyxImmortal targets a variety of browsers, such as Chrome, Edge, Brave, and Opera GX. The malware uses Windows DPAPI to obtain browser master encryption keys before using AES-GCM encryption to decipher saved passwords.

Prior to exfiltration, recovered credentials are shown in plaintext format, indicating a lack of local protection.

To minimize network overhead, the virus also searches the user’s home directory for files with particular extensions, such as.pdf,.docx, and.xlsx, and filters the results based on file size.

The data theft cycle is completed when all stolen artifacts are bundled into a ZIP archive and sent to attacker-controlled Discord webhooks.