Glassworm botnet disrupted after resilient C2 infrastructure takedown
The Glassworm botnet, which targeted software developers through supply-chain attacks involving malicious extensions and compromised repositories, has been disrupted after a coordinated takedown of its resilient command-and-control (C2) infrastructure. This infrastructure uniquely leveraged multiple non-traditional communication channels, including Solana blockchain transactions, BitTorrent DHT, Google Calendar events, and traditional VPS-hosted servers, to maintain control and resist takedown efforts. The disruption was achieved by simultaneously disabling all four C2 channels, effectively cutting off infected machines from receiving new instructions or payloads. Post-disruption, infected hosts are beaconing to an IP address controlled by CrowdStrike, enabling detection and remediation. Researchers have also published YARA rules to assist in identifying infections. The botnet had been active since October 2025, with campaigns stealing cryptocurrency wallets and developer credentials and impacting hundreds of software artifacts. No known exploits are currently active in the wild following this takedown.
AI Analysis
Technical Summary
Glassworm is a botnet that targeted developers via malicious software supply-chain attacks, including compromised OpenVSX and VS Code extensions, GitHub repositories, and npm packages. Its command-and-control infrastructure was designed for resilience by using four distinct communication channels: Solana blockchain transaction memos encoding C2 addresses, BitTorrent Distributed Hash Table for configuration data retrieval, Google Calendar event titles as dead-drop locations, and traditional VPS-hosted servers. This multi-layered architecture allowed the botnet to survive conventional takedown attempts. A coordinated operation by CrowdStrike, Google, and The Shadowserver Foundation simultaneously disrupted all four channels, effectively neutralizing the botnet's control capabilities. Infected machines now beacon to a CrowdStrike-controlled IP, facilitating detection and cleanup. YARA rules have been released to confirm infections on hosts. The botnet's campaigns included theft of cryptocurrency wallets and developer credentials, with a significant impact on software supply-chain integrity.
Potential Impact
The Glassworm botnet compromised software supply chains by distributing malicious extensions and packages that stole cryptocurrency wallets and developer credentials. It affected hundreds of software artifacts and posed a risk to developer environments and downstream users. The botnet's resilient C2 infrastructure allowed it to maintain control over infected hosts despite conventional disruption attempts. The coordinated takedown has halted the botnet's ability to receive new commands or payloads, effectively neutralizing the threat. There are no known active exploits in the wild following this disruption. Organizations with potentially infected machines can detect them via the new beaconing IP address and YARA rules provided by researchers.
Mitigation Recommendations
The Glassworm botnet has been effectively disrupted through a coordinated takedown of all four of its C2 communication channels. Organizations should monitor for network traffic beaconing to the IP address 164.92.88.210, which is controlled by CrowdStrike, as an indicator of infection. Deploy the published YARA rules to identify compromised hosts. Immediate remediation actions should focus on removing infected extensions and packages from developer environments and cleaning affected systems. Since the takedown has neutralized the botnet's control infrastructure, no additional urgent mitigation steps are required beyond detection and cleanup.
Glassworm botnet disrupted after resilient C2 infrastructure takedown
Description
The Glassworm botnet, which targeted software developers through supply-chain attacks involving malicious extensions and compromised repositories, has been disrupted after a coordinated takedown of its resilient command-and-control (C2) infrastructure. This infrastructure uniquely leveraged multiple non-traditional communication channels, including Solana blockchain transactions, BitTorrent DHT, Google Calendar events, and traditional VPS-hosted servers, to maintain control and resist takedown efforts. The disruption was achieved by simultaneously disabling all four C2 channels, effectively cutting off infected machines from receiving new instructions or payloads. Post-disruption, infected hosts are beaconing to an IP address controlled by CrowdStrike, enabling detection and remediation. Researchers have also published YARA rules to assist in identifying infections. The botnet had been active since October 2025, with campaigns stealing cryptocurrency wallets and developer credentials and impacting hundreds of software artifacts. No known exploits are currently active in the wild following this takedown.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Glassworm is a botnet that targeted developers via malicious software supply-chain attacks, including compromised OpenVSX and VS Code extensions, GitHub repositories, and npm packages. Its command-and-control infrastructure was designed for resilience by using four distinct communication channels: Solana blockchain transaction memos encoding C2 addresses, BitTorrent Distributed Hash Table for configuration data retrieval, Google Calendar event titles as dead-drop locations, and traditional VPS-hosted servers. This multi-layered architecture allowed the botnet to survive conventional takedown attempts. A coordinated operation by CrowdStrike, Google, and The Shadowserver Foundation simultaneously disrupted all four channels, effectively neutralizing the botnet's control capabilities. Infected machines now beacon to a CrowdStrike-controlled IP, facilitating detection and cleanup. YARA rules have been released to confirm infections on hosts. The botnet's campaigns included theft of cryptocurrency wallets and developer credentials, with a significant impact on software supply-chain integrity.
Potential Impact
The Glassworm botnet compromised software supply chains by distributing malicious extensions and packages that stole cryptocurrency wallets and developer credentials. It affected hundreds of software artifacts and posed a risk to developer environments and downstream users. The botnet's resilient C2 infrastructure allowed it to maintain control over infected hosts despite conventional disruption attempts. The coordinated takedown has halted the botnet's ability to receive new commands or payloads, effectively neutralizing the threat. There are no known active exploits in the wild following this disruption. Organizations with potentially infected machines can detect them via the new beaconing IP address and YARA rules provided by researchers.
Mitigation Recommendations
The Glassworm botnet has been effectively disrupted through a coordinated takedown of all four of its C2 communication channels. Organizations should monitor for network traffic beaconing to the IP address 164.92.88.210, which is controlled by CrowdStrike, as an indicator of infection. Deploy the published YARA rules to identify compromised hosts. Immediate remediation actions should focus on removing infected extensions and packages from developer environments and cleaning affected systems. Since the takedown has neutralized the botnet's control infrastructure, no additional urgent mitigation steps are required beyond detection and cleanup.
Technical Details
- Article Source
- {"url":"https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/","fetched":true,"fetchedAt":"2026-05-27T13:33:33.926Z","wordCount":753}
Threat ID: 6a16f2ade29bf47b50bef155
Added to database: 5/27/2026, 1:33:33 PM
Last enriched: 5/27/2026, 1:33:46 PM
Last updated: 5/27/2026, 2:47:22 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.