Malware & Threats

GlassWorm Botnet Disrupted

Security firms took down all four command-and-control (C&C) channels used by the GlassWorm malware.

Botnet

The GlassWorm botnet that has been targeting the open source software ecosystem for over six months has been disrupted, cybersecurity firm CrowdStrike reports.

Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm’s four command-and-control (C&C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads.

The malware has been using the Solana blockchain for C&C infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial VPS providers serving as backup C&Cs.

GlassWorm’s operators have been encoding C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted.

The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&C paths in event titles, and the traditional C&C servers were used to host payloads.

“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C&C servers behind multiple layers of indirection,” CrowdStrike notes.

Advertisement. Scroll to continue reading.

By taking down all four channels at the same time, the cybersecurity firms severed the operators’ access to the infected machines and their ability to deliver new instructions.

First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.

The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.

In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.

“The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts,” CrowdStrike says.

GlassWorm is designed to steal sensitive information (such as NPM, GitHub, and Git credentials) and funds from dozens of cryptocurrency extensions. It also deploys SOCKS proxy servers and hidden VNC servers for remote access to the infected machines.

The attackers’ access to stolen credentials created an ongoing risk of high-impact supply chain compromises beyond the victim developers. All consumers of potentially impacted software, including enterprises and other types of organizations, were also exposed to compromise.

According to CrowdStrike, evidence suggests that GlassWorm’s operators are of Russian origin: the malware checks the system’s locale and avoids infecting machines in CIS countries, and its code contains Russian-language comments.

“This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike notes.

In addition to taking down the GlassWorm infrastructure, CrowdStrike has instructed the infected machines to beacon to the benign IP address 164.92.88[.]210. Organizations are advised to check for connections to this IP address to identify potential infections.

“As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems,” CrowdStrike notes.

Related: ‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested

Related: Microsoft Disrupts Malware-Signing Service Run by ‘Fox Tempest’

Related: US Disrupts Russian Espionage Operation Involving Hacked Routers and DNS Hijacking

Related: Tycoon 2FA Fully Operational Despite Law Enforcement Takedown

Related Content

Malware & Threats

Law enforcement and private partners took down 106 SocGholish C&C servers and domains as part of Operation Endgame.

Phishing

The platform used more than 9,000 phishing sites, stealing nearly 4 million credit cards and causing roughly $1.9 billion in losses.

Cybercrime

Dutch authorities seized command-and-control servers tied to a botnet of infected computers, smartphones, and tablets that was allegedly used to power a residential proxy...

Cybercrime

Jacob Butler, 23, has been arrested in Canada and US authorities are seeking his extradition on computer hacking charges.

Malware & Threats

Over 70 cloned Open VSX extensions are likely sleeper extensions designed to distribute malware.

Malware & Threats

The exploitation of the command injection vulnerability started one year after public disclosure and PoC exploit code publication.

Malware & Threats

Focused on persistence, the botnet does not engage in widespread infection and avoids blacklisted IPs and critical infrastructure entities.

Malware & Threats

The APT28 threat group exploited vulnerable TP-Link and MikroTik routers to conduct adversary-in-the-middle (AitM) attacks.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version