The Glassworm botnet, which targets developers through supply-chain attacks, has been disrupted after a coordinated takedown of its resilient command-and-control (C2) infrastructure. The operation, conducted by CrowdStrike, Google, and The Shadowserver Foundation, simultaneously cut off four distinct C2 channels designed to resist conventional disruption. Glassworm campaigns started in October 2025, initially deploying malicious OpenVSX and Microsoft VS Code extensions to steal cryptocurrency wallets and credentials. Later attacks expanded to GitHub repositories and npm packages, with one campaign in March affecting over 400 software artifacts. The botnet's C2 infrastructure relied on non-traditional channels: Solana blockchain transactions (with server addresses encoded in memo fields), BitTorrent DHT network (for configuration data), Google Calendar event titles (as dead-drop locations for Base64-encoded paths), and direct server connections. This multi-channel architecture required simultaneous disruption to prevent shifting to alternative channels. Following the takedown, compromised machines now beacon to a CrowdStrike-operated IP address, and organizations are advised to check for this indicator and use provided YARA rules for remediation.

Key facts

• Glassworm botnet disrupted by coordinated takedown of four C2 channels
• C2 used Solana blockchain, BitTorrent DHT, Google Calendar, and direct servers
• Campaigns since Oct 2025 targeted developers via VS Code and OpenVSX extensions
• March 2025 attack impacted over 400 software artifacts on GitHub and npm
• Compromised machines now beacon to CrowdStrike IP; YARA rules released

KeyAudit data perspective