Threat Research

SOLYXIMMORTAL : PYTHON MALWARE ANALYSIS

Cyfirma
SOLYXIMMORTAL : PYTHON MALWARE ANALYSIS

SolyxImmortal is a Python-based Windows information-stealer that persistently collects browser credentials, documents, keystrokes, and screenshots and exfiltrates them via hardcoded Discord webhooks. The sample Lethalcompany.py establishes registry Run-key persistence, stages and compresses artifacts for stealthy long-term surveillance rather than propagation. #SolyxImmortal #Discord

Keypoints

  • Monolithic Python implant (Lethalcompany.py) runs silently in user context and launches concurrent threads for continuous data collection.
  • Persistence is achieved by copying the executable to an AppData subdirectory, hiding the file, and registering a user-level Run registry key.
  • Harvests credentials from Chromium-based browsers by extracting the Local State master key and decrypting saved logins using Windows DPAPI and AES-GCM.
  • Collects documents (DOC, TXT, PDF, Excel), keystrokes (batched), and screenshots (periodic and event-triggered by sensitive window titles) and stages data in TEMP for compression.
  • Exfiltrates data over HTTPS to hardcoded Discord webhooks (separate webhooks for structured data and screenshots) and cleans up temporary artifacts after successful uploads.
  • Distributed via an underground Telegram channel and likely associated with a Turkish-speaking low-to-mid sophistication actor, prioritizing opportunistic surveillance over APT-style operations.

MITRE Techniques

  • [T1059.006 ] Command and Scripting Interpreter: Python – Malware is implemented and executed as a Python script to run the main logic (‘The malware starts running when the script is executed directly, using a standard Python entry point to trigger its main logic.’)
  • [T1547.001 ] Boot or Logon Autostart Execution: Registry Run Keys – Persistence is established by registering the copied executable under the user Run key (‘By registering itself under the user’s Run key, the malware ensures execution upon each user logon without requiring administrative privileges.’)
  • [T1555.003 ] Credentials from Password Stores: Browsers – Extracts browser master key and decrypts saved logins from browser databases (‘To decrypt stored credentials, the malware extracts the browser master encryption key from the Local State file.’)
  • [T1552.001 ] Unsecured Credentials: Credentials in Files – Aggregates recovered credentials in plaintext prior to exfiltration (‘Recovered credentials are aggregated in plaintext format prior to exfiltration, indicating no local encryption or obfuscation of stolen data.’)
  • [T1056.001 ] Input Capture: Keylogging – Implements a persistent keyboard listener that buffers keystrokes and periodically exfiltrates batched data (‘Keystroke capture is implemented using a persistent keyboard listener.’)
  • [T1113 ] Screen Capture – Continuously captures screenshots and triggers immediate captures on sensitive window-title matches, sending images via a screenshot-specific webhook (‘When a match is detected, the malware captures a screenshot and transmits it immediately via the screenshot-specific webhook.’)
  • [T1083 ] File and Directory Discovery – Recursively enumerates the user’s home directory to locate documents matching extension and size filters (‘The malware recursively enumerates the user’s home directory to locate documents of interest.’)
  • [T1041 ] Exfiltration Over C2 Channel – Exfiltrates staged artifacts and screenshots via HTTPS POST requests to Discord webhook endpoints (‘All data exfiltration is performed via HTTPS POST requests to Discord webhooks.’)
  • [T1102.003 ] Web Service: Third-Party Services – Abuses Discord (third-party web service) for command-and-control and data exfiltration (‘All observed outbound communication occurs over HTTPS (TLS 1.3) and is directed to Discord webhook endpoints.’)
  • [T1027 ] Obfuscated/Compressed Files and Information – Compresses harvested artifacts into ZIP archives to reduce transfer size and consolidate exfiltration (‘Compression serves both operational efficiency and stealth, reducing network transfer size and consolidating exfiltration into fewer outbound requests.’)

Indicators of Compromise

  • [File name ] Malware sample – Lethalcompany.py
  • [File hashes ] Identifiers for the analyzed sample – MD5: 2690f7c685784fff006fe451fa3b154c, SHA-256: 5a1b440861ef652cc207158e7e129f0b3a22ed5ef5d2ea5968e1d9eff33017bc
  • [Webhook endpoints ] Exfiltration targets – Hardcoded Discord webhook endpoints (structured-data webhook, screenshot webhook)
  • [Registry Run Key ] Persistence artifact – Registered under the current user’s Run registry key (user-level autorun entry)
  • [Browser artifacts ] Credential stores accessed – Local State (browser master key extraction) and Login Data SQLite databases (saved credentials)

Read more: https://www.cyfirma.com/research/solyximmortal-python-malware-analysis/