Back

Glassworm Botnet Disrupted: Major Threat to Developers Neutralized

Severity: High (Score: 70.2)

Sources: www.itnews.com.au, Itnews.Au, www.endorlabs.com, www.crowdstrike.com, Infosecurity-Magazine

Published: 2026-05-27 · Updated: 2026-05-27

Keywords: crowdstrike, glassworm, botnet, google, slay, unkillable, targeting

Severity indicators: ot, worm, botnet

Summary

The Glassworm botnet, which has targeted software developers since early 2025, has been disrupted by CrowdStrike, Google, and the Shadowserver Foundation. This coordinated effort took down all four of Glassworm's command-and-control (C2) channels, which utilized a mix of traditional servers, Google Calendar events, and blockchain infrastructure for resilience. The botnet was known for its sophisticated methods, including using the Solana blockchain for dead-drop C2 paths and leveraging BitTorrent for configuration data. The malware had infected numerous systems, impacting developers relying on poisoned open-source packages. As a result of this takedown, infected machines can no longer receive new instructions or payloads. The operation highlights a significant shift in cyber threats, emphasizing the need for improved security in software development environments. Key Points: • Glassworm botnet targeted developers by poisoning open-source packages. • CrowdStrike and Google successfully disrupted all C2 channels simultaneously. • The malware leveraged blockchain and peer-to-peer networks for resilience.

Detailed Analysis

**Impact** The Glassworm botnet targeted software developers globally since early 2025, compromising code repositories, cloud platforms, continuous integration/continuous deployment (CI/CD) pipelines, and package registries. The infection affected developer environments, potentially risking the integrity of software supply chains and development workflows. The malware avoided devices in post-Soviet Commonwealth of Independent States (CIS) countries, suggesting a likely Russian origin of the operators. **Technical Details** Glassworm employed multiple resilient command and control (C2) channels, including the Solana public blockchain for immutable dead-drops, the BitTorrent peer-to-peer distributed hash table (DHT) for configuration data, Google Calendar event titles encoded in Base64 as C2 paths, and commercial virtual private service providers for payload delivery. CrowdStrike disrupted all four channels simultaneously, reportedly using an Eclipse attack on the BitTorrent DHT and taking over multiple Solana wallets to sever C2 communications. The malware’s kill chain involved self-replication and covert C2 communication leveraging decentralized and commercial infrastructure. **Recommended Response** Defenders should monitor for unusual use of Google Calendar event titles, BitTorrent DHT traffic anomalies, and Solana blockchain wallet interactions associated with C2 activity. Network defenses should block known Glassworm-related IPs and domains once identified, and restrict or scrutinize VPN and proxy service usage that could facilitate payload delivery. Organizations should audit developer environments, CI/CD pipelines, and package registries for signs of compromise. No specific CVEs or patches were mentioned for immediate application.

Source articles (5)

  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — Itnews.Au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs — www.itnews.com.au · 2026-05-27
    Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year. Earlier reports sug…
  • CrowdStrike, Google Take Down Glassworm Botnet — Infosecurity-Magazine · 2026-05-27
    An industry effort involving CrowdStrike, Google and the Shadowserver Foundation has led to the disruption of the Glassworm botnet. Working together, the three organizations managed to simultaneously…
  • Npm Is Serving Malware To 134k Developers — www.endorlabs.com · 2026-05-27
    An attacker took over the npm account behind react-native-international-phone-number and react-native-country-select, publishing three waves of malicious versions containing malware linked to the Glas…
  • Inside Crowdstrike Takedown Of A Developer Targeting Botnet — www.crowdstrike.com · 2026-05-27

Timeline

  • 2025-01-01 — Glassworm botnet first identified: The Glassworm botnet began targeting developers through compromised open-source packages.
  • 2025-03-16 — Malicious npm packages published: Attackers published compromised versions of popular npm packages, infecting developers' systems.
  • 2026-05-26 — Takedown operation executed: CrowdStrike, Google, and Shadowserver simultaneously disrupted Glassworm's C2 channels.
  • 2026-05-27 — Details of takedown revealed: CrowdStrike disclosed the complexity of Glassworm's infrastructure and the methods used for disruption.

Related entities

  • Malware (Attack Type)
  • Russia (Country)
  • api.mainnet-beta.solana.com (Domain)
  • getblock.io (Domain)
  • p2p.org (Domain)
  • rpc.ankr.com (Domain)
  • shuriken.xyz (Domain)
  • Glassworm (Malware)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1132 - Data Encoding (Mitre Attack)
  • Google Calendar (Platform)
  • Solana (Platform)
  • BitTorrent (Platform)
  • Solana Blockchain (Platform)
  • 59221aa9623d86c930357dba7e3f54138c7ccbd0daa9c483d766cd8ce1b6ad26 (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed