Researchers at CrowdStrike, Google, and The Shadowserver Foundation say they have disrupted the Glassworm botnet after cutting off four distinct command-and-control (C2) channels that the threat actors used to evade disruption. The operation, conducted yesterday, targeted a resilient, multi-layered C2 architecture that had allowed Glassworm campaigns to continue since October 2025.
What Glassworm targeted and how extensive the campaigns were
Glassworm initially targeted developers using malicious OpenVSX and Microsoft VS Code extensions designed to steal cryptocurrency wallets and developer credentials. Subsequent waves extended to GitHub repositories and npm packages; one March campaign impacted more than 400 software artifacts. More recently, operators planted dozens of dormant extensions on OpenVSX that would activate their malicious components only after an update.
Four C2 channels that powered Glassworm’s resilience
- Solana blockchain: Operators encoded C2 server addresses in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead drop that cannot be taken offline by conventional means.
- BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.
- Public calendar service: Glassworm used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
- Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.
CrowdStrike told researchers that “Glassworm's operators built their infrastructure for resilience,” and that disrupting any single channel would have been insufficient because communications could simply shift to another layer of indirection.
The coordinated takedown and its immediate effect
According to the researchers, disabling the botnet required simultaneously cutting off all four channels. “All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads,” CrowdStrike says. Following the disruption, researchers report that compromised hosts are now beaconing to the IP address 164.92.88[.]210, a server operated by CrowdStrike.
Detection and remediation: YARA rules and a network indicator
Researchers have published YARA rules to confirm infections on suspected hosts. Organizations are advised to search for the network indicator 164.92.88[.]210 and to take immediate remediation action on any hosts that match the published detection signatures. The combination of a clear network indicator and published rules gives incident responders concrete artifacts to hunt for while they isolate and remediate affected systems.
How developers, security teams, and end users should respond
- Developers and open-source maintainers: Review and audit extensions and packages, especially those distributed via OpenVSX, Microsoft VS Code marketplaces, GitHub repositories, and npm. Investigate any dormant or recently updated extensions for unexpected payload triggers.
- Security teams and incident responders: Hunt for the beaconing IP 164.92.88[.]210, apply the published YARA rules to suspect hosts, and remove or isolate infected systems to prevent data exfiltration of wallets and credentials.
- End users and developers who handle keys: Assume compromise where indicators are present, and rotate credentials and wallet keys as part of remediation if host compromise is confirmed.
The takedown illustrates a technical blunt fact: when adversaries layer multiple, hard-to-takedown channels — blockchain dead drops, DHTs, legitimate web services, and traditional VPS servers — defenders must coordinate across those layers to sever the attacker's lifelines simultaneously. For now, researchers say Glassworm operators’ immediate ability to push new instructions or payloads is blocked; the published network indicator and YARA rules are the next tools organizations have to find and clean any remaining infections.
Original reporting: https://www.bleepingcomputer.com/news/security/glassworm-botnet-disrupted-after-resilient-c2-infrastructure-takedown/




