Glassworm botnet command-and-control disruption
Malware Activity
Summary
Hide ▲
Show ▼
The Glassworm botnet had all four command-and-control channels disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructure used VPS-hosted servers, Google Calendar dead-drops, peer-to-peer lookup and Solana blockchain memo fields to stay resilient. Glassworm had been active since at least early 2025 and was tied to supply-chain poisoning against developer ecosystems on Windows, macOS and Linux. The disruption weakens immediate operator control, but the layered design shows how difficult the botnet was to dismantle.
Related Happenings
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware Activity
First: 08.01.2026 19:30
Last: 08.01.2026 19:30
Sources 1
About this happening:
**GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware ActivityAbout this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GlassWorm campaign returns in repeated waves across extension marketplaces
Campaign
First: 01.01.2026 17:18
Last: 01.01.2026 17:18
Sources 1
How related:
It had been used in several multi-pronged malicious campaigns targeting software developers by poisoning open-source packages they rely upon across Windows, macOS and Linux systems.
About this happening:
**GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
GlassWorm campaign returns in repeated waves across extension marketplaces
CampaignHow related: It had been used in several multi-pronged malicious campaigns targeting software developers by poisoning open-source packages they rely upon across Windows, macOS and Linux systems.
About this happening: **GlassWorm** is an ongoing **supply-chain attack** targeting developers through the **OpenVSX** and **Microsoft Visual Studio Marketplace** extension ecosystems. In the latest co...
Latest development: 17.03.2026 23:42
GlassWorm renewed its supply-chain campaign with a coordinated wave that compromised 433 components across GitHub, npm, and VSCode/OpenVSX this month, including 200 GitHub Python repositories, 151 GitHub JS/TS repositories, 72 VSCode/OpenVSX extensions, and 10 npm packages. Attackers compromised GitHub accounts to force-push malicious commits, then published obfuscated packages and extensions that queried a Solana blockchain C2 channel every five seconds and delivered a Node.js-based JavaScript infostealer that targets cryptocurrency wallet data, credentials, access tokens, SSH keys, and developer environment data.
Timeline
-
27.05.2026 17:00 2 articles · 9h ago
CrowdStrike, Google and Shadowserver disrupt Glassworm botnet
Initial DisclosureCrowdStrike, Google and the Shadowserver Foundation disrupted the Glassworm botnet by simultaneously taking down all four command-and-control channels, cutting operators off from infected machines and blocking new malicious payload delivery. CrowdStrike said Glassworm had been active since at least early 2025 and had used VPS-hosted servers, Google Calendar event titles, BitTorrent peer-to-peer lookups and Solana memo-field infrastructure to stay resilient against takedowns.
Show sources
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00