top of page
perceptive_background_267k.jpg

Glassworm botnet disrupted after resilient C2 infrastructure takedown

Published:

27 May 2026 at 13:28:42

Alert date:

27 May 2026 at 14:00:38

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Supply Chain & Dependencies, Ransomware & Malware

The Glassworm botnet targeting developers in software supply-chain attacks has been disrupted following a takedown of its resilient command-and-control infrastructure. The botnet utilized an advanced C2 system that relied on Solana blockchain transactions and the BitTorrent DHT network for communication. Researchers successfully dismantled this sophisticated infrastructure, disrupting the botnet's operations. The campaign specifically targeted developers as part of broader supply chain attacks. The takedown represents a significant victory against a technically advanced threat that leveraged decentralized technologies for persistence.

Technical details

The Glassworm botnet used a multi-layered C2 infrastructure consisting of four channels: 1) Solana blockchain transactions with C2 server addresses encoded in memo fields, 2) BitTorrent DHT network for configuration data storage, 3) Google Calendar event titles as Base64-encoded dead-drop locations for C2 paths, and 4) Direct server connections on commercial VPS providers. The malware targeted developers through malicious OpenVSX and VS Code extensions, GitHub repositories, and npm packages, stealing cryptocurrency wallets and developer credentials. The GlasswormRAT queries BitTorrent peer-to-peer network for configuration data and uses multiple communication channels to ensure resilience against takedowns.

Mitigation steps:

Organizations should look for the network indicator IP address 164.92.88.210 and take immediate remediation action. Use the published YARA rules to confirm infections on suspected hosts. Monitor for beaconing activity to the specified IP address as an indicator of compromise.

Affected products:

OpenVSX
Microsoft VS Code extensions
GitHub repositories
npm packages

Related links:

https://www.bleepingcomputer.com/news/security/self-spreading-glassworm-malware-hits-openvsx-vs-code-registries/
https://www.bleepingcomputer.com/news/security/glassworm-malware-hits-400-plus-code-repos-on-github-npm-vscode-openvsx/
https://www.bleepingcomputer.com/news/security/glassworm-malware-attacks-return-via-73-openvsx-sleeper-extensions/
https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/

Related CVE's:

Related threat actors:

IOC's:

164.92.88.210

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page