Glassworm botnet disrupted after resilient C2 infrastructure takedown

Glassworm Botnet Disrupted After Resilient C2 Infrastructure Takedown

OverviewThe Glassworm botnet, a threat actor toolkit aimed at developers through software supply-chain intrusion, has been disrupted following a coordinated takedown of its multi-channel command-and-control (C2) infrastructure. The operation leveraged a collaboration among CrowdStrike, Google, and The Shadowserver Foundation to sever four distinct C2 pathways designed to withstand traditional disruption efforts. Glassworm campaigns have persisted since October 2025, initially focusing on malicious OpenVSX and Microsoft VS Code extensions that exfiltrated cryptocurrency wallets and developer credentials. Subsequent waves expanded into GitHub repositories and npm packages, with a March campaign impacting hundreds of code artifacts. In a late-stage move, dormant extensions on OpenVSX were planted to awaken upon updates, broadening the reach of the threat.

C2 Architecture and ResilienceA key reason Glassworm sustained operations for months is its resilience-driven C2 design. The operators built a layered resolution stack that could migrate between channels as needed, complicating takedown attempts. The following four channels were implemented to maintain control over infected hosts:

The Four C2 Channels

• Solana blockchain
• C2 server addresses are embedded in the memo fields of blockchain transactions. This creates an immutable, publicly accessible dead drop that cannot be taken offline using conventional methods. The on-chain data provides a persistent layer for instruction delivery that persists beyond traditional server outages.
• BitTorrent Distributed Hash Table (DHT)
• GlasswormRAT queries the BitTorrent network for configuration data stored against public keys. This leverages a decentralized, peer-to-peer network with no single point of failure, enabling continued operation even if central servers are disrupted.
• Public calendar service
• Glassworm uses event titles in Google Calendar as dead-drop locations. Base64-encoded C2 paths are hidden within calendar entries, exploiting legitimate cloud services as covert channels for control data.
• Direct server connections
• Traditional C2 infrastructure hosted on commercial virtual private servers (VPS) acted as the final payload delivery mechanism. This channel provided a familiar, centralized connection point for updates and commands when other channels were unavailable.

The architecture’s multi-channel approach meant that disruptors could not rely on a single takedown to cripple the botnet. If one channel was silenced, the operators could shift communications to another, preserving command and control at the edge of the network.

The Takedown and Its SignificanceThe disruption required hitting all four channels simultaneously. CrowdStrike explains that “All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.” In the wake of the operation, compromised endpoints began beaconing to a single IP address, 164.92.88[.]210, operated by CrowdStrike. This centralized indicator of compromise (IoC) provides defenders with a concrete signal to identify potentially affected hosts and apply remediation measures. In addition to the disruption, researchers published YARA rules to help confirm infections on suspected machines, assisting incident responders in rapid triage and containment.

Campaign History and ScopeGlassworm campaigns began in October 2025 with initial intrusions through malicious OpenVSX and VS Code extensions designed to harvest cryptocurrency wallets and developer credentials. As the campaigns evolved, the threat actor broadened its reach to GitHub repositories and npm packages, creating a wider surface of exposure for developers and projects. A notable March wave impacted more than 400 code artifacts across multiple repositories and ecosystems. In a later maneuver, dozens of dormant extensions were planted on OpenVSX with the intent to trigger dormant components after user updates, extending the threat’s window of exposure and complicating clean-up efforts.

Indicators of Compromise and Remediation ContextPost-takedown analysis centers on observable artifacts that defenders can monitor to identify potential Glassworm activity:

• Beaconing to the IP address 164.92.88[.]210 (CrowdStrike-operated sinkhole)
• On-chain C2 data encoded in Solana memo fields (immutable blockchain traffic patterns)
• BitTorrent DHT-based configuration lookups tied to public keys
• Google Calendar-based dead-drop references containing encoded C2 paths
• Persistent payloads and updates that may reappear via OpenVSX sleeper extensions or other delivery mechanisms

The effort also yielded practical tools for defenders, including YARA rules designed to detect Glassworm indicators within suspected hosts, enabling faster containment and remediation for affected environments.

Context and ObservationsThe Glassworm takedown underscores a broader trend in adversary infrastructure design: reliance on legitimate, distributed, or decentralized services to conceal C2 activity. By distributing control across blockchain, peer-to-peer networks, and widely used cloud services, operators create a dynamic flow of instructions that resists conventional takedown strategies. The simultaneous disruption strategy demonstrates the necessity of coordinated, cross-organizational action to neutralize such resilient threats.

Related Coverage and ContextThe Glassworm case is situated within a broader landscape of supply-chain and developer-targeted threats. Related discussions and developments include reporting on data-theft incidents linked to extortion groups, breaches involving developer ecosystems, and analysis of attacks that compromise open-source and package ecosystems. Contextual coverage also touches on how automated tooling and pentesting methodologies intersect with threat validation, highlighting the importance of validating defensive controls beyond merely answering whether an attacker can traverse networks.

Related Coverage (selected articles)

• FBI warns of in-person data theft attacks from extortion gang
• 7-Eleven confirms data breach claimed by the ShinyHunters gang
• GitHub confirms breach of 3,800 repos via malicious VSCode extension
• Inside a Crypto Drainer: How to Spot it Before it Empties Your Wallet
• GitHub links repo breach to TanStack npm supply-chain attack

Contextual themes and tags

• CryptoCurrency
• Data Theft
• Developer
• GlassWorm
• Supply Chain
• Takedown

Visuals and Supporting MaterialAn architectural visualization illustrates Glassworm’s C2 stack, highlighting how each channel contributes to overall resilience. The imagery accompanying the case shows the multi-layered C2 diagram and its interaction with on-chain, DHT, calendar, and direct server channels.

Automated Pentesting and Validation SurfacesA companion discussion in the same ecosystem emphasizes that automated pentesting tools historically focus on attacker movement through a network rather than validating the effectiveness of controls, detection rules, or cloud configurations. The narrative champions a broader validation approach that encompasses multiple surfaces to ensure defenses are robust against sophisticated C2 architectures.

Related Tools and Resources

• Automated pentesting guidance and practical validation materials
• YARA rules and IoC indicators for Glassworm detection
• Sinkhole telemetry and beacon analysis used by defenders

Notes on CollaborationThe takedown demonstrates the power of cross-industry collaboration—between security vendors, search and discovery platforms, and security-focused organizations—to disrupt a resilient malware operation that exploits non-traditional communication channels. The outcome emphasizes the value of sharing telemetry, indicators of compromise, and detection signatures to enable rapid defense responses across the ecosystem.