The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted after researchers took down its resilient command-and-control infrastructure relying on Solana blockchain transactions and the BitTorrent DHT network.
?In a coordinated operation conducted yesterday, CrowdStrike, Google, and The Shadowserver Foundation cut off the botnet operators’ access to four distinct command-and-control (C2) channels designed to resist conventional disruption efforts.
Glassworm campaigns have been ongoing since October 2025 and initially targeted developers with malicious OpenVSX and Microsoft VS Code extensions that stole cryptocurrency wallets and developer credentials.
In a different paragraph, the article says:
In a more recent attack, Glassworm operators planted dozens of dormant extensions on OpenVSX that would activate the malicious component after an update.
I’ve never heard of this service, I wonder what is on it? Curiosity is sometimes interesting.
Here are some paragraphs talking about the infrastructure.
One reason the Glassworm threat has survived this long is its C2 infrastructure, which relies on non-traditional communication channels that are difficult to take down.
“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike notes.
The researchers say that “Glassworm’s operators built their infrastructure for resilience,” and taking down the botnet required hitting the four C2 channels simultaneously:
This is what happened, and the article goes in to complete detail.
The article is titled Glassworm botnet disrupted after resilient C2 infrastructure takedown so check the article out.
Discover more from Jared's Technology podcast network
Subscribe to get the latest posts sent to your email.