Glassworm Botnet Dismantled: CrowdStrike, Google, and Shadowserver Take Down Developer-Targeting Threat

A coordinated cybersecurity operation has permanently disrupted one of the most resilient botnets ever documented. On May 26, 2026, CrowdStrike, Google, and the Shadowserver Foundation simultaneously struck all four command-and-control channels of the Glassworm botnet, cutting off its operators from thousands of infected developer machines worldwide.

Glassworm botnet takedown

The operation marks a significant moment in tech security history, demonstrating that even infrastructure deliberately engineered to survive takedowns can be dismantled with precise coordination.

What Was the Glassworm Botnet?

Glassworm operated as a global botnet targeting software developers since at least early 2025. Security researchers attributed its operation to well-resourced criminals likely based in Russia, based on consistent behavioral and code-level patterns observed across more than a year of activity.

Unlike most botnets that chase end-user credentials or financial data, Glassworm specifically targeted developers because of what they can access: source code repositories, cloud platforms, CI/CD pipelines, and package registries. Compromising a single developer’s workstation can cascade into a supply-chain attack affecting thousands of downstream organizations.

How Glassworm Infected Developer Systems

Glassworm used three primary infection vectors, all targeting the open-source development ecosystem:

Trojanized VSCode extensions were published to the OpenVSX marketplace disguised as legitimate productivity tools like time trackers and code formatters. These extensions targeted not only VSCode but also Cursor, Positron, Windsurf, and VSCodium.

Malicious npm and Python packages delivered payloads through postinstall hooks and setup scripts, executing silently during routine dependency installation without any visible sign of infection.

Poisoned GitHub repositories used stolen developer credentials harvested from earlier Glassworm infections to force-push malicious code into default branches of more than 300 repositories.

Once a system was infected, Glassworm performed information theft, harvested credentials including GitHub tokens, npm tokens, SSH keys, and VSCode authentication data, and deployed a full-featured remote access tool called GlasswormRAT. The malware ran across Windows, macOS, and Linux systems.

The “Unkillable” C2 Architecture

Glassworm earned the label “unkillable botnet” because its operators built its command-and-control infrastructure across four distinct channels, each designed to resist conventional takedown methods:

  • Solana blockchain: C2 server addresses were encoded in memo fields of blockchain transactions, creating an immutable dead-drop that cannot be taken offline through standard means.
  • BitTorrent Distributed Hash Table (DHT): GlasswormRAT queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.
  • Google Calendar event titles: Glassworm used event titles as dead-drop locations for Base64-encoded C2 paths, hiding malicious instructions inside a legitimate web service.
  • Direct VPS server connections: Traditional command-and-control infrastructure hosted on commercial VPS providers served as the final payload delivery layer.

Taking down any single channel would have left the remaining three operational, giving the operators enough runway to reconstitute quickly. All four channels had to go down at exactly the same time.

How CrowdStrike, Google, and Shadowserver Dismantled Glassworm

CrowdStrike’s Counter Adversary Operations team, working with Google and the Shadowserver Foundation, executed the simultaneous disruption at 14:00 UTC on May 26, 2026.

The operation severed all four C2 channels at once, cutting infected machines off from receiving new instructions or payloads. As a result, all Glassworm-infected systems now beacon to a benign CrowdStrike-operated IP address: 164.92.88[.]210. Organizations can check network logs and endpoint telemetry for connections to this address to identify any infected machines.

CrowdStrike also released two YARA rules to confirm infections on identified hosts:

rule CrowdStrike_GlasswormRat_01 : glassworm glasswormrat
{
    meta:
        description = "Characteristic strings in Glassworm's RAT script"
        malware_family = "GlasswormRAT"
    strings:
        $download = "DownloadManager" ascii
        $socks = "start_socks" ascii
        $nodejs = "https://nodejs.org/download/release" ascii
        $dht = "bootstrap" ascii
    condition:
        all of them
}

rule CrowdStrike_GlasswormDownloader_01 : glassworm
{
    meta:
        description = "Characteristic strings in the obfuscated python installer Glassworm variant"
        malware_family = "Glassworm"
    strings:
        $zlib = "__import__('zlib')" ascii
        $decomp = "decompress(" ascii
        $lambda = "lambda" ascii
        $exec = /exec\(compile\(.{5,20}, '<>', 'exec'\)\)/
    condition:
        all of them and filesize < 10KB
}

Why This Takedown Matters

The Glassworm operation represents a broader shift in how threat actors operate. Rather than targeting end users or enterprise products directly, attackers now focus on the developers who build the software that millions of organizations depend on.

“Adversaries are no longer just targeting products, they’re targeting the developers who build them,” CrowdStrike noted in its official disclosure.

This mirrors trends seen in other recent tech threat campaigns. The Tsundere Bot ransomware attacks highlighted similar shifts, with threat actor TA584 adopting new malware delivery tactics focused on maximizing reach through minimal initial effort. Glassworm follows the same philosophy, but targets the software supply chain instead of direct corporate access.

The Glassworm operators also continuously evolved their tooling over more than a year, shifting between JavaScript, Rust, and Zig, and expanding across multiple package ecosystems. This level of persistence and adaptation required a response that matched both the technical complexity and the coordination needed to dismantle it.

What Developers and Organizations Should Do Now

Any organization whose developers use VSCode extensions, npm packages, or Python dependencies should treat this as a call to audit their environments immediately.

Specific steps to take:

  • Check network logs and endpoint telemetry for outbound connections to 164.92.88[.]210
  • Run the CrowdStrike YARA rules against endpoints used by developers
  • Audit installed VSCode extensions, especially any installed from OpenVSX or third-party sources in 2025 and early 2026
  • Review recent npm and Python dependency installs for unexpected postinstall script executions
  • Rotate any GitHub tokens, npm tokens, and SSH keys stored on developer machines as a precaution
  • Enable commit signing and branch protection on GitHub repositories to detect unauthorized force pushes

The full technical breakdown of the Glassworm takedown is available on the CrowdStrike blog, including additional indicators of compromise and remediation guidance.

Supply Chain Security After Glassworm

Glassworm demonstrates that the software supply chain remains one of the most high-impact attack surfaces in computing today. Malicious packages reach thousands of machines within minutes of publication. Detection after the fact often comes too late, because the damage happens silently during a routine dependency install.

The barrier to poisoning a package or extension is low. The potential blast radius is enormous. As long as developer environments and build pipelines remain under-protected, every organization that consumes software inherits the risk of everyone who produces it.

The Glassworm takedown proves that proactive, coordinated disruption works. Combining threat intelligence from private security vendors with platform cooperation from technology companies and the infrastructure reach of foundations like Shadowserver creates conditions for decisive action, even against adversaries who built their systems specifically to survive it.

Similar coordinated responses are already emerging for other botnet threats. The SSHStalker Linux botnet, which compromised nearly 7,000 servers using outdated IRC-based techniques combined with large-scale automation, represents another front where the security community is actively tracking and disrupting persistent threats targeting internet-facing infrastructure.

The lesson from Glassworm is clear: detection alone is not enough. Actively dismantling the infrastructure that threats depend on is now a necessary part of the security response.

Related Cybersecurity and Malware

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply