Glassworm Botnet Disrupted: Resilient C2 Infrastructure Taken Down

The Glassworm botnet, known for targeting developers in software supply-chain attacks, has been successfully disrupted following the takedown of its resilient command-and-control infrastructure. This infrastructure heavily relied on Solana blockchain transactions and the BitTorrent DHT network.

A joint operation carried out by CrowdStrike, Google, and The Shadowserver Foundation effectively cut off the botnet operators’ access to four distinct command-and-control (C2) channels that were specifically designed to resist conventional disruption efforts.

Since October 2025, Glassworm campaigns have been actively targeting developers with malicious OpenVSX and Microsoft VS Code extensions aimed at stealing cryptocurrency wallets and developer credentials. Subsequent attack waves expanded to GitHub repositories and npm packages, with a single campaign in March affecting over 400 software artifacts.

Furthermore, recent attacks by Glassworm operators involved planting dormant extensions on OpenVSX, which would activate malicious components following an update.

One of the key reasons for Glassworm’s prolonged survival was its unconventional C2 infrastructure, utilizing non-traditional communication channels that were challenging to dismantle.

According to CrowdStrike, the unique combination of blockchain, peer-to-peer, and legitimate web services as resolution layers provided a resilient front against takedowns. This dynamic setup shielded the actual C2 servers behind multiple layers of indirection.

The researchers emphasized that the takedown of Glassworm required simultaneous action on all four C2 channels:

1. Solana blockchain: C2 server addresses encoded in blockchain transactions’ memo fields.
2. BitTorrent Distributed Hash Table (DHT): GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data.
3. Public calendar service: Utilizing Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
4. Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers for final payload delivery.

Due to this sophisticated architecture, disrupting a single channel would have minimal impact on the Glassworm operation, as communications could easily shift to another channel, enabling the threat actor to retain control.

CrowdStrike stated, “All four channels had to be disrupted simultaneously in a coordinated effort to prevent infected machines from receiving new instructions or payloads.”

Following the disruption, all compromised machines in a Glassworm attack are now beaconing to the IP address 164.92.88[.]210 operated by CrowdStrike. Organizations are strongly advised to identify this network indicator and promptly take remedial action. Additionally, the researchers have released YARA rules to confirm infections on suspected hosts.

Automated pentesting tools offer real value but were primarily designed to assess network traversal by attackers. This guide highlights the 6 key areas to validate, ensuring your controls effectively block threats, detection rules trigger, and cloud configurations remain secure.

Download Now