Glassworm botnet goes haywire after resilient C2 infrastructure outage

The Glassworm botnet, which targets builders in software program provide chain assaults, went into disarray after researchers took down its resilient command and management infrastructure that relied on Solana blockchain transactions and the BitTorrent DHT community.

In a coordinated operation yesterday, CrowdStrike, Google, and the Shadowserver Basis minimize off botnet operators’ entry to 4 totally different command and management (C2) channels designed to withstand conventional subversive actions.

The Glassworm marketing campaign has been ongoing since October 2025 and initially focused builders utilizing malicious OpenVSX and Microsoft VS Code extensions to steal cryptocurrency wallets and developer credentials.

Subsequent waves of assaults unfold to GitHub repositories and npm packages, with one marketing campaign in March impacting over 400 software program artifacts.

In a latest assault, Glassworm operators embedded dozens of dormant extensions into OpenVSX that activated malicious elements after an replace.

One of many causes the Glassworm menace has survived so lengthy is as a result of its C2 infrastructure depends on non-traditional communication channels which are troublesome to take down.

“The mix of blockchain, peer-to-peer, and canonical net companies as a decision layer is designed to be resilient to takedowns; it’s a dynamic entrance that protects the precise C2 server behind a number of layers of indirection,” CrowdStrike notes.

The researchers stated that “Glassworm’s operators constructed infrastructure to extend resiliency” and wanted to assault 4 C2 channels concurrently to take down the botnet:

1. Solana Blockchain: C2 server addresses are encoded into the memo area of blockchain transactions, creating an immutable and publicly accessible lifeless drop that can not be taken offline utilizing conventional strategies.
2. BitTorrent Distributed Hash Desk (DHT): GlasswormRAT leverages a globally distributed community with no single level of failure to question the BitTorrent peer-to-peer community for configuration knowledge saved towards hard-coded public keys.
3. Public Calendar Service: Glassworm makes use of Google Calendar occasion titles as dead-drop places for Base64-encoded C2 paths.
4. Direct server connection: Conventional C2 infrastructure hosted at a industrial VPS supplier served as the ultimate payload supply mechanism.

This structure permits disruption of a single channel to have little impact on Glassworm’s operation, as communication strikes to a different channel and the attacker maintains management.

“A concerted effort required us to disrupt all 4 channels concurrently, leading to contaminated machines being unable to obtain new directions or payloads,” CrowdStrike stated.

After this disruption, all machines compromised within the Glassworm assault are sending beacons to the CrowdStrike-operated IP handle 164.92.88(.)210.

Organizations are inspired to search for this community indicator and take quick remedial motion. Moreover, the researchers printed YARA guidelines to substantiate an infection of suspected hosts.