The Glassworm botnet, a formidable player in cyberattacks, has finally been dismantled after more than a year of clandestine operation. Utilizing sophisticated techniques and a resilient infrastructure, this botnet targeted software developers, jeopardizing the software supply chain. Thanks to a coalition of cybersecurity experts, Glassworm’s operations were neutralized, marking a significant victory against digital crime.
A silent and persistent threat
Active since at least the beginning of 2025, Glassworm specialized in targeting open source developers. By carefully selecting its targets, this malware was capable of compromising the systems of a determined developer and causing catastrophic repercussions for many organizations using open source tools. Its attacks on the software supply chain raised fears of devastating consequences.
A diverse cyberattack arsenal
To achieve its goals, Glassworm deployed a variety of tools and techniques. The botnet managed to infiltrate systems using malicious extensions for VSCode, hidden among legitimate tools on the OpenVSX marketplace. Furthermore, npm and Python packages, as well as more than 300 GitHub repositories, were compromised using stolen developer credentials. This method allowed hackers to stealthily gain access to developers’ computers.
A complex and formidable infrastructure
Behind Glassworm lay a particularly elaborate command and control infrastructure. Cybercriminals exploited four communication channels, contributing to the resilience of their operations. The first channel, based on blockchain, allowed for the concealment of server addresses within public transactions on the Solana network. This approach made any attempt at dismantlement difficult, thanks to the immutable nature of blockchain transactions.
Effective camouflage techniques
By utilizing blockchain, the attackers could easily change their IP addresses in the event of detection, making their system exceptionally flexible and difficult to trace. Meanwhile, Glassworm also leveraged the BitTorrent DHT network and Google Calendar events to hide instructions and sensitive information intended for the botnet. This clever combination allowed cybercriminals to navigate the digital landscape without being detected.
International cooperation for dismantlement
The end of Glassworm is the result of a joint operation conducted by a coalition that included CrowdStrike, Google, and the Shadowserver Foundation. On May 26, 2026, the members of this coalition simultaneously cut access to the various communication channels used by the botnet. This decisive action prevented the hackers from continuing their malicious activities and stripped them of any control over the infected machines.
The Russian origins of the botnet
Research has revealed that the hackers involved in Glassworm’s operations are likely of Russian origin. An integrated mechanism in the malware checked the operating system’s language, geographical location, and time zone at every boot. If the computer was found in Russia or in a country of the Commonwealth of Independent States, the malware would automatically deactivate to avoid attracting the attention of local authorities. This strategy demonstrated a shrewd understanding of the geopolitical and legal dynamics surrounding cybersecurity.
