Back

CrowdStrike and Google Disrupt Glassworm Botnet Targeting Developers

Severity: High (Score: 72.0)

Sources: Itnews.Au, www.crowdstrike.com, www.itnews.com.au

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: crowdstrike, glassworm, botnet, google, slay, unkillable, targeting

Severity indicators: ot, worm, botnet

Summary

CrowdStrike has successfully dismantled the command and control (C2) channels of the Glassworm botnet, which has been targeting software developers since early 2025. This botnet utilized the Solana blockchain and BitTorrent's distributed hash table (DHT) for its resilient infrastructure, making it difficult to disrupt. The malware employed Google Calendar event titles as dead-drops for C2 paths and leveraged commercial VPNs for payload delivery. CrowdStrike's coordinated effort required simultaneous disruption of all four C2 channels to prevent reconstitution by the operators. The malware specifically avoided machines in post-Soviet Commonwealth of Independent States (CIS) countries, suggesting a Russian origin for the attackers. As a result of the takedown, infected machines can no longer receive new instructions or payloads, significantly reducing the botnet's threat to developers. Key Points: • CrowdStrike dismantled the Glassworm botnet's C2 channels targeting developers. • The botnet used Solana blockchain and BitTorrent DHT for resilient infrastructure. • Infected machines can no longer receive commands, neutralizing the threat.

Detailed Analysis

**Impact** The Glassworm botnet targeted software developers globally since early 2025, compromising code repositories, cloud platforms, continuous integration/continuous deployment (CI/CD) pipelines, and package registries. The infection affected developer environments, potentially risking the integrity of software supply chains and development workflows. The malware avoided devices in post-Soviet Commonwealth of Independent States (CIS) countries, suggesting a likely Russian origin of the operators. **Technical Details** Glassworm employed multiple resilient command and control (C2) channels, including the Solana public blockchain for immutable dead-drops, the BitTorrent peer-to-peer distributed hash table (DHT) for configuration data, Google Calendar event titles encoded in Base64 as C2 paths, and commercial virtual private service providers for payload delivery. CrowdStrike disrupted all four channels simultaneously, reportedly using an Eclipse attack on the BitTorrent DHT and taking over multiple Solana wallets to sever C2 communications. The malware’s kill chain involved self-replication and covert C2 communication leveraging decentralized and commercial infrastructure. **Recommended Response** Defenders should monitor for unusual use of Google Calendar event titles, BitTorrent DHT traffic anomalies, and Solana blockchain wallet interactions associated with C2 activity. Network defenses should block known Glassworm-related IPs and domains once identified, and restrict or scrutinize VPN and proxy service usage that could facilitate payload delivery. Organizations should audit developer environments, CI/CD pipelines, and package registries for signs of compromise. No specific CVEs or patches were mentioned for immediate application.

Source articles (3)

  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — Itnews.Au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — www.itnews.com.au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • Inside Crowdstrike Takedown Of A Developer Targeting Botnet — www.crowdstrike.com · 2026-05-27

Timeline

  • 2025-01-01 — Glassworm botnet first identified: The Glassworm malware began targeting software developers, affecting various development tools and platforms.
  • 2026-05-27 — CrowdStrike disrupts Glassworm C2 channels: CrowdStrike executed a coordinated takedown of all C2 channels, preventing further instructions to infected machines.

Related entities

  • Malware (Attack Type)
  • Russia (Country)
  • Glassworm (Malware)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1132 - Data Encoding (Mitre Attack)
  • Google Calendar (Platform)
  • Solana (Platform)
  • BitTorrent (Platform)
  • Solana Blockchain (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed