CrowdStrike, in collaboration with Google and the Shadowserver Foundation, has successfully dismantled the Glassworm botnet, a sophisticated operation that targeted software developers and their supply chains. The coordinated effort simultaneously neutralized four resilient command-and-control (C2) channels, severing the attackers' access to infected machines and preventing further malicious payload delivery.

Key Takeaways

• Targeting Developers: Glassworm systematically targeted software developers, exploiting their access to critical systems like source code repositories, cloud platforms, and CI/CD pipelines.

• Supply Chain Exploitation: The botnet leveraged trojanized VS Code extensions, compromised npm and Python packages, and poisoned GitHub repositories to infiltrate the software supply chain.

• Resilient Infrastructure: Glassworm employed a multi-layered C2 infrastructure, utilizing the Solana blockchain, BitTorrent DHT, Google Calendar, and commercial VPS providers to evade detection and disruption.

• Global Collaboration: The successful takedown highlights the effectiveness of cross-sector collaboration between cybersecurity firms, tech giants, and non-profit organizations.

The Glassworm Threat

Since early 2025, Glassworm operators have been actively targeting software developers, a high-value target group whose compromise can lead to widespread downstream impact. The malware was designed to exfiltrate sensitive data, including developer credentials, cryptocurrency wallets, and system information. It also transformed infected hosts into covert infrastructure, such as SOCKS proxies and hidden VNC servers, enabling further propagation and anonymized network access.

Innovative Command-and-Control

What made Glassworm particularly challenging to combat was its innovative and resilient C2 infrastructure. The attackers employed a combination of unconventional methods to ensure their operations could withstand takedown attempts:

• Solana Blockchain: C2 server addresses were hidden within the memo fields of blockchain transactions, making them immutable and publicly accessible.

• BitTorrent DHT: Configuration data was retrieved from the peer-to-peer BitTorrent network, leveraging its decentralized nature.

• Google Calendar: Event titles in Google Calendar served as dead drops for C2 server addresses.

• Commercial VPS: Traditional C2 infrastructure hosted on commercial virtual private servers acted as the final delivery mechanism.

Coordinated Disruption and Future Implications

The simultaneous takedown of all four C2 channels was crucial to crippling the botnet. By hitting these diverse and resilient channels at once, researchers ensured that infected machines could no longer receive instructions or new payloads. CrowdStrike attributes the activity to likely Russia-based cybercriminals, noting that the malware terminates execution on systems within CIS countries and contains Russian-language comments.

The Glassworm takedown serves as a critical example of how proactive disruption of resilient infrastructure can effectively combat sophisticated supply chain threats. It underscores the ongoing importance of securing developer environments, build pipelines, and code repositories to mitigate risks inherent in the modern software supply chain.

Sources

• GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure, The Hacker News.

• Glassworm botnet disrupted after resilient C2 infrastructure takedown, BleepingComputer.

• Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet, CrowdStrike.

• CrowdStrike disrupts Glassworm botnet that preyed on open-source supply chain, CyberScoop.

• Developer-Focused Glassworm Malware Spreads Across Major Code Platforms, Cyber Press.