GlassWorm Botnet Disrupted
The GlassWorm botnet, active since October 2025 and targeting open source software ecosystems, has been disrupted by coordinated takedown of its four command-and-control (C&C) channels by cybersecurity firms including CrowdStrike, Google, and the Shadowserver Foundation. GlassWorm used a resilient multi-layered C&C infrastructure leveraging the Solana blockchain, Google Calendar, BitTorrent network, and traditional VPS servers to maintain control over infected machines. The malware was distributed via trojanized Visual Studio extensions and later spread to other package ecosystems such as npm and PyPI. It steals sensitive credentials and cryptocurrency funds, deploys proxy and remote access servers, and poses a significant supply chain risk. The operators appear to be Russian and avoid infecting CIS countries. The takedown prevents further control and payload delivery to infected hosts, and infected machines have been instructed to beacon to a benign IP for detection purposes.
AI Analysis
Technical Summary
GlassWorm is a sophisticated malware botnet that targeted developers and open source ecosystems by infecting development tools and package repositories. It employed a resilient C&C infrastructure combining blockchain transactions, peer-to-peer networks, legitimate web services, and traditional servers to evade takedown efforts. The malware steals developer credentials and cryptocurrency-related data, enabling supply chain compromises. The operators continuously evolved the malware and infrastructure over more than a year. The coordinated takedown simultaneously disrupted all four C&C channels, severing attacker control and preventing new payload delivery. CrowdStrike and partners have provided detection guidance by instructing infected hosts to beacon to a specific benign IP address.
Potential Impact
The GlassWorm botnet enabled attackers to steal sensitive developer credentials and cryptocurrency funds, deploy proxy and remote access services on infected machines, and maintain persistent access to developer environments. This created a high risk of supply chain compromises affecting all consumers of potentially impacted software, including enterprises. The disruption of the C&C infrastructure prevents further attacker control and payload delivery, mitigating ongoing risk. However, previously stolen credentials and compromised environments may still pose residual risks.
Mitigation Recommendations
The coordinated takedown of all GlassWorm C&C channels has effectively disrupted attacker control and payload delivery. Organizations should check for network connections to the benign IP address 164.92.88.210 as instructed by CrowdStrike to identify potential infections. Further remediation should focus on cleaning infected developer environments and rotating any potentially compromised credentials. Patch status is not applicable as this is malware infrastructure disruption rather than a software vulnerability.
GlassWorm Botnet Disrupted
Description
The GlassWorm botnet, active since October 2025 and targeting open source software ecosystems, has been disrupted by coordinated takedown of its four command-and-control (C&C) channels by cybersecurity firms including CrowdStrike, Google, and the Shadowserver Foundation. GlassWorm used a resilient multi-layered C&C infrastructure leveraging the Solana blockchain, Google Calendar, BitTorrent network, and traditional VPS servers to maintain control over infected machines. The malware was distributed via trojanized Visual Studio extensions and later spread to other package ecosystems such as npm and PyPI. It steals sensitive credentials and cryptocurrency funds, deploys proxy and remote access servers, and poses a significant supply chain risk. The operators appear to be Russian and avoid infecting CIS countries. The takedown prevents further control and payload delivery to infected hosts, and infected machines have been instructed to beacon to a benign IP for detection purposes.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GlassWorm is a sophisticated malware botnet that targeted developers and open source ecosystems by infecting development tools and package repositories. It employed a resilient C&C infrastructure combining blockchain transactions, peer-to-peer networks, legitimate web services, and traditional servers to evade takedown efforts. The malware steals developer credentials and cryptocurrency-related data, enabling supply chain compromises. The operators continuously evolved the malware and infrastructure over more than a year. The coordinated takedown simultaneously disrupted all four C&C channels, severing attacker control and preventing new payload delivery. CrowdStrike and partners have provided detection guidance by instructing infected hosts to beacon to a specific benign IP address.
Potential Impact
The GlassWorm botnet enabled attackers to steal sensitive developer credentials and cryptocurrency funds, deploy proxy and remote access services on infected machines, and maintain persistent access to developer environments. This created a high risk of supply chain compromises affecting all consumers of potentially impacted software, including enterprises. The disruption of the C&C infrastructure prevents further attacker control and payload delivery, mitigating ongoing risk. However, previously stolen credentials and compromised environments may still pose residual risks.
Mitigation Recommendations
The coordinated takedown of all GlassWorm C&C channels has effectively disrupted attacker control and payload delivery. Organizations should check for network connections to the benign IP address 164.92.88.210 as instructed by CrowdStrike to identify potential infections. Further remediation should focus on cleaning infected developer environments and rotating any potentially compromised credentials. Patch status is not applicable as this is malware infrastructure disruption rather than a software vulnerability.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/glassworm-botnet-disrupted/","fetched":true,"fetchedAt":"2026-05-27T10:18:36.955Z","wordCount":1254}
Threat ID: 6a16c4fce29bf47b50b11be4
Added to database: 5/27/2026, 10:18:36 AM
Last enriched: 5/27/2026, 10:18:44 AM
Last updated: 5/27/2026, 12:51:51 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.