GlassWorm has targeted the open source software ecosystem for over six months and has been disrupted. Four command-and-control channels were taken down simultaneously with help from Google and the Shadowserver Foundation, preventing access to infected machines and delivery of new payloads. The malware used the Solana blockchain for command-and-control infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers on commercial VPS providers acting as backup channels. Operators encoded command-and-control addresses in memo fields of blockchain transactions that cannot be modified or deleted. BitTorrent stored configuration data against hardcoded public keys, Google Calendar stored Base64-encoded command-and-control paths in event titles, and traditional servers hosted payloads. The malware used Unicode variation selectors to hide code in editors and was distributed via trojanized Visual Studio extensions through OpenVSX, later appearing on GitHub.
"Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm 's four command-and-control (C&C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads."
"GlassWorm's operators have been encoding C&C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted. The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&C paths in event titles, and the traditional C&C servers were used to host payloads."
""The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns - a dynamic front protecting the actual C&C servers behind multiple layers of indirection," CrowdStrike notes."
"First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye. The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub."
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]