Skip to main content
Emerging ThreatsMalware & Ransomware

CrowdStrike and Google Disrupt Glassworm Botnet Infrastructure

Network operations center with large map display and staff working at computer terminals.

“The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike noted in a report published on May 26.

How CrowdStrike, Google and the Shadowserver Foundation cut Glassworm's lines

An industry collaboration between CrowdStrike, Google and the Shadowserver Foundation disrupted the Glassworm botnet by taking down all four of its command-and-control (C2) channels simultaneously, severing the operators from infected devices and their ability to deliver new malicious payloads. The partners executed a coordinated operation that removed the mix of conventional and unconventional resolution layers the operators relied upon.

Those channels included traditional C2 servers hosted on commercial virtual private servers (VPS), plus several stealthier mechanisms that functioned as resolution layers and dead-drop locations. CrowdStrike said the simultaneous action was necessary because disrupting only one element would have left the remaining channels operational and allowed operators to quickly reconstitute control.

Unconventional resolution layers: Google Calendar, Solana and BitTorrent

Glassworm employed a striking array of techniques to hide and sustain its C2 infrastructure. The botnet used Google Calendar event titles as dead-drop locations, embedding Base64-encoded C2 paths in event metadata so infected hosts could retrieve instructions without contacting an obvious malicious server.

In addition, operators encoded C2 server addresses in the memo fields of transactions on the Solana blockchain, using the public, tamper-evident ledger as a persistent broadcast channel. The Glassworm remote access tool also queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys. CrowdStrike highlighted that this combination of blockchain, peer-to-peer and legitimate web services as resolution layers boosted resilience against partial takedowns.

Supply-chain attacks: VS Code extensions, npm, Python and poisoned GitHub repos

CrowdStrike traced Glassworm activity to multi-pronged campaigns that targeted software developers and the open-source supply chain. The botnet has been in operation since at least early 2025, and operators used trojanized Visual Studio Code extensions published to the OpenVSX marketplace alongside compromised npm and Python packages. Malicious code was introduced through postinstall hooks and setup scripts designed to run during normal development workflows.

The campaign also involved account compromise: more than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections. CrowdStrike called this pattern “a significant shift in the threat landscape” and said it should “serve as a wake-up call for every organization that ships or consumes software.”

What this means for developers, security teams, and enterprises

  • Developers and open-source maintainers: The attacks show that adversaries are “no longer just targeting products, they're targeting the developers who build them.” Trojanized extensions and poisoned packages turn normal development tools into distribution vectors; maintainers must harden accounts and supply-chain processes to prevent credential theft and repository compromise.
  • Security teams and build-pipeline operators: CrowdStrike warned that “the barrier to poisoning a package or extension is low; the potential blast radius is enormous.” Teams responsible for CI/CD, build artifacts and package registries should assume that attackers will use indirect resolution layers and should monitor for unusual retrieval patterns from calendar services, blockchain transactions or peer-to-peer queries.
  • Enterprises that consume software: Because Glassworm targeted Windows, macOS and Linux environments and poisoned packages across ecosystems, organizations that rely on third-party components “inherit the risk of everyone who produces it” if developer environments, build pipelines and code repositories remain under‑protected.

Why simultaneous disruption mattered — and what the takedown accomplished

CrowdStrike emphasized that the botnet’s layered design required a coordinated response. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute,” the company said. By taking all four channels offline at once, the collaborators interrupted the operators’ ability to issue commands and to deliver new payloads to infected devices.

The takedown removed both visible C2 infrastructure and the indirect resolution mechanisms that masked it. That dual approach—removing servers while denying alternative resolution paths—illustrates how future defenses may need to operate: across cloud platforms, blockchain analysis, peer-to-peer monitoring and traditional hosting takedown procedures.

Glassworm’s disruption demonstrates that defenders can blunt complex, resilient operations when public‑ and private‑sector actors coordinate. But CrowdStrike’s report leaves an explicit warning: as long as developer accounts, build systems and code repositories remain vulnerable, adversaries will continue to target the people and processes behind software—not just the finished products.

https://www.infosecurity-magazine.com/news/crowdstrike-google-takedown/