Glassworm botnet command-and-control disruption
Malware Activity
Summary
Hide ▲
Show ▼
The Glassworm botnet had all four command-and-control channels disrupted, cutting operators off from infected machines and blocking new payload delivery. The infrastructure used VPS-hosted servers, Google Calendar dead-drops, peer-to-peer lookup and Solana blockchain memo fields to stay resilient. Glassworm had been active since at least early 2025 and was tied to supply-chain poisoning against developer ecosystems on Windows, macOS and Linux. The disruption weakens immediate operator control, but the layered design shows how difficult the botnet was to dismantle.
Related Happenings
StealC and Amadey infostealer infrastructure disruption
Malware Activity
H score69
First: 24.06.2026 18:25
Last: 24.06.2026 18:25
Sources 1
About this happening:
**StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
StealC and Amadey infostealer infrastructure disruption
Malware ActivityAbout this happening: **StealC** and **Amadey** malware infrastructure was disrupted in **Operation Endgame**, cutting off the command-and-control services used to manage infected systems. Europol said...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware Activity
H score28
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
Webworm EchoCreep and GraphWorm backdoor expansion
Malware ActivityAbout this happening: **Webworm** expanded its malware arsenal in **2025** with the custom backdoors **EchoCreep** and **GraphWorm**, increasing its ability to run stealthy **command-and-control** oper...
AVRecon malware for Linux powering SocksEscort proxy network
Malware Activity
H score19
First: 12.03.2026 18:19
Last: 12.03.2026 18:19
Sources 1
About this happening:
The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
AVRecon malware for Linux powering SocksEscort proxy network
Malware ActivityAbout this happening: The **AVRecon** malware for Linux powered the **SocksEscort** proxy network, turning compromised **Linux-based SOHO routers** into traffic-routing nodes at scale. It was believed...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware Activity
H score72
First: 08.01.2026 19:30
Last: 08.01.2026 19:30
Sources 1
About this happening:
**GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
GoBruteforcer botnet brute-forces exposed Linux servers with a more capable mid-2025 variant
Malware ActivityAbout this happening: **GoBruteforcer** is actively brute-forcing **Linux servers exposed to the internet**, creating a broad risk of compromise, **data theft** and **botnet expansion**. The operation...
Timeline
-
27.05.2026 17:00 2 articles · 1mo ago
CrowdStrike, Google and Shadowserver disrupt Glassworm botnet
Initial DisclosureCrowdStrike, Google and the Shadowserver Foundation disrupted the Glassworm botnet by simultaneously taking down all four command-and-control channels, cutting operators off from infected machines and blocking new malicious payload delivery. CrowdStrike said Glassworm had been active since at least early 2025 and had used VPS-hosted servers, Google Calendar event titles, BitTorrent peer-to-peer lookups and Solana memo-field infrastructure to stay resilient against takedowns.
Show sources
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00
- CrowdStrike, Google Take Down Glassworm Botnet — www.infosecurity-magazine.com — 27.05.2026 17:00