Find notable cyber news and cases, enriched with sources, timelines, and signals.

Glassworm botnet command-and-control disruption

Malware Activity
First reported
Last updated
Happening score
H score 10
1 unique sources, 1 articles

Summary

Hide ▲

The Glassworm botnet had all four command-and-control channels disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructure used VPS-hosted servers, Google Calendar dead-drops, peer-to-peer lookup and Solana blockchain memo fields to stay resilient. Glassworm had been active since at least early 2025 and was tied to supply-chain poisoning against developer ecosystems on Windows, macOS and Linux. The disruption weakens immediate operator control, but the layered design shows how difficult the botnet was to dismantle.

Related Happenings

StealC and Amadey infostealer infrastructure disruption

Malware Activity
H score69 First: 24.06.2026 18:25 Last: 24.06.2026 18:25 Sources 1

About this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Webworm EchoCreep and GraphWorm backdoor expansion

Malware Activity
H score28 First: 20.05.2026 15:51 Last: 20.05.2026 15:51 Sources 1

About this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...

AVRecon malware for Linux powering SocksEscort proxy network

Malware Activity
H score19 First: 12.03.2026 18:19 Last: 12.03.2026 18:19 Sources 1

About this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...

GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant

Malware Activity
H score72 First: 08.01.2026 19:30 Last: 08.01.2026 19:30 Sources 1

About this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...

Timeline

  1. 27.05.2026 17:00 2 articles · 1mo ago

    CrowdStrike, Google and Shadowserver disrupt Glassworm botnet

    Initial Disclosure

    CrowdStrike, Google and the Shadowserver Foundation disrupted the Glassworm botnet by simultaneously taking down all four command-and-control channels, cutting operators off from infected machines and blocking new malicious payload delivery. CrowdStrike said Glassworm had been active since at least early 2025 and had used VPS-hosted servers, Google Calendar event titles, BitTorrent peer-to-peer lookups and Solana memo-field infrastructure to stay resilient against takedowns.

    Show sources