Glassworm botnet disrupted after resilient C2 infrastructure takedown

News

Featured
Latest

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Laravel Lang packages hijacked to deploy credential-stealing malware

Netherlands seizes 800 servers of hosting firm enabling cyberattacks

Ubiquiti patches three max severity UniFi OS vulnerabilities

Glassworm botnet disrupted after resilient C2 infrastructure takedown

FBI warns of in-person data theft attacks from extortion gang

Your grocery routine’s easiest upgrade is a Sam’s Club membership for just $25

CISA gives feds 4 days to patch actively exploited cPanel plugin flaw

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityGlassworm botnet disrupted after resilient C2 infrastructure takedown

Glassworm botnet disrupted after resilient C2 infrastructure takedown

By Ionut Ilascu

May 27, 2026
09:28 AM
0

The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network.
​In a coordinated operation conducted  yesterday, CrowdStrike, Google, and The Shadowserver Foundation cut off the botnet operators’ access to four distinct command-and-control (C2) channels designed to resist conventional disruption efforts.
Glassworm campaigns have been ongoing since October 2025 and initially targeted developers with malicious OpenVSX and Microsoft VS Code extensions that stole cryptocurrency wallets and developer credentials.
Later attack waves extended to GitHub repositories and npm packages, with one campaign in March impacting more than 400 software artifacts.
In a more recent attack, Glassworm operators planted dozens of dormant extensions on OpenVSX that would activate the malicious component after an update.
One reason the Glassworm threat has survived this long is its C2 infrastructure, which relies on non-traditional communication channels that are difficult to take down.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike notes.
The researchers say that “Glassworm's operators built their infrastructure for resilience,” and taking down the botnet required hitting the four C2 channels simultaneously:
Solana blockchain: C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead drop that cannot be taken offline by conventional means.
BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.
Public calendar service: Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.

Glassworm command-and-control architecturesource: CrowdStrike
​Because of this architecture, disrupting a single channel would have little impact on the Glassworm operation, as communications could shift to another channel, allowing the threat actor to maintain control.
“All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads,” CrowdStrike says.
Following the disruption, all machines compromised in a Glassworm attack are beaconing to the IP address 164.92.88[.]210 operated by CrowdStrike.
Organizations are advised to look for this network indicator and take immediate remediation action. Additionally, the researchers have published YARA rules to confirm infections on suspected hosts.

The Validation Gap: Automated Pentesting Answers One Question. You Need Six.

Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate.
Download Now

Related Articles:
FBI warns of in-person data theft attacks from extortion gang7-Eleven confirms data breach claimed by the ShinyHunters gangGitHub confirms breach of 3,800 repos via malicious VSCode extensionInside a Crypto Drainer: How to Spot it Before it Empties Your WalletGitHub links repo breach to TanStack npm supply-chain attack

CryptoCurrency
Data Theft
Developer
GlassWorm
Supply Chain
Takedown

Ionut Ilascu
Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia.

Previous Article
Next Article

Post a Comment Community Rules

You need to login in order to post a comment

Not a member yet? Register Now

You may also like:

  Upcoming Webinar

Popular Stories

FBI warns of Kali365 phishing service targeting Microsoft 365 accounts

Ghost CMS SQL injection flaw exploited in large-scale ClickFix campaign

Anthropic’s restricted Claude Mythos model may be coming to Claude Code

Sponsor Posts

AI is a data-breach time bomb: Read the new report

Protect Your Business from Ecommerce Fraud

Overdue a password health-check? Audit your Active Directory for free

33% Rise in Healthcare Credential Theft in 2025: What you need to know

  Upcoming Webinar

Follow us:

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure

Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved

Login

Username

Password

Remember Me

Sign in anonymously

Sign in with Twitter

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

The Glassworm botnet, which primarily targeted developers through software supply-chain attacks, was successfully disrupted after researchers managed to dismantle its sophisticated and resilient command-and-control command infrastructure. This coordinated operation involved CrowdStrike, Google, and The Shadowserver Foundation, successfully severing access to four distinct command-and-control channels designed specifically to evade conventional disruption methods. The threat had been active since October 2025, initially targeting developers with malicious extensions for OpenVSX and Microsoft VS Code that facilitated the theft of cryptocurrency wallets and developer credentials. Subsequent attack waves expanded to compromise GitHub repositories and npm packages, with one campaign in March affecting over four hundred software artifacts and another involving planting dormant extensions on OpenVSX that activated malicious components upon updates.

The longevity of the Glassworm threat stemmed from its specialized C2 infrastructure, which utilized non-traditional communication channels known for their resistance to takedowns. The architecture employed a dynamic front by layering communications across multiple interdependent systems, including blockchain, peer-to-peer networks, and legitimate web services as resolution layers to provide indirection behind the actual control servers. To achieve a complete disruption, the researchers were required to simultaneously target all four communication channels. These channels included reliance on the Solana blockchain, where command-and-control server addresses were encoded within the memo fields of blockchain transactions, creating an immutable, publicly accessible dead drop. Furthermore, the botnet leveraged the BitTorrent Distributed Hash Table (DHT) network, allowing the Glassworm RAT to query the peer-to-peer network for configuration data stored against hardcoded public keys, thereby utilizing a decentralized global network without a single point of failure. Additionally, the operators used public calendar services, embedding Base64-encoded C2 paths within Google Calendar event titles as dead-drop locations. The final layer of communication involved traditional command-and-control infrastructure hosted on commercial virtual private server providers, which served as the mechanism for final payload delivery.

Because of this multi-channel design, disrupting any single communication path would have been insufficient, as the threat actors could seamlessly shift communications to an alternate channel to maintain control. The coordinated effort was necessary to interrupt all aspects of the infrastructure, preventing infected machines from receiving new instructions or payloads. Following the successful disruption, all compromised systems began beaconing to a specific IP address, 164.92.88[.]210, which was operated by CrowdStrike. Organizations are advised to monitor for this specific network indicator and implement immediate remediation. Furthermore, the researchers made YARA rules publicly available to assist in confirming infections on suspected hosts.