Skip to content
Tech News
← Back to articles

Glassworm botnet disrupted after resilient C2 infrastructure takedown

2026-05-27 | original
read original more articles
Why This Matters

The disruption of the Glassworm botnet highlights the evolving sophistication of cyber threats that leverage decentralized and resilient infrastructure, making traditional takedown methods less effective. This operation underscores the importance of coordinated efforts among cybersecurity firms and tech giants to combat complex, multi-layered attacks that target developers and software supply chains. The takedown also emphasizes the need for ongoing vigilance and innovative strategies to counter resilient cyber threats in the industry.

Key Takeaways

The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network.

​In a coordinated operation conducted yesterday, CrowdStrike, Google, and The Shadowserver Foundation cut off the botnet operators’ access to four distinct command-and-control (C2) channels designed to resist conventional disruption efforts.

Glassworm campaigns have been ongoing since October 2025 and initially targeted developers with malicious OpenVSX and Microsoft VS Code extensions that stole cryptocurrency wallets and developer credentials.

Later attack waves extended to GitHub repositories and npm packages, with one campaign in March impacting more than 400 software artifacts.

In a more recent attack, Glassworm operators planted dozens of dormant extensions on OpenVSX that would activate the malicious component after an update.

One reason the Glassworm threat has survived this long is its C2 infrastructure, which relies on non-traditional communication channels that are difficult to take down.

“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike notes.

The researchers say that “Glassworm's operators built their infrastructure for resilience,” and taking down the botnet required hitting the four C2 channels simultaneously:

Solana blockchain: C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead drop that cannot be taken offline by conventional means. BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure. Public calendar service: Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths. Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.

Glassworm command-and-control architecture

... continue reading

Explore topics: blockchain channels control crowdstrike glassworm
Related:
CrowdStrike and Google take down botnet used by hackers to target software developers in supply chain attacks
Nvidia kills Windows XP-era Control Panel "after 20 years of dedicated service"
Valve raises Steam Deck prices by more than $200
Sony’s DualSense controllers are almost 30 percent off
Stop Advertising in Your Commits

© 2026 GoKawiil

About | Editorial Policy | Contact