How Google and CrowdStrike Cracked Down on Glassworm Botnet

The takedown of the Glassworm botnet could provide some relief for developers in this year plagued with software supply chain attacks.

This week, CrowdStrike dismantled a global botnet designed to withstand traditional takedown efforts, through a combined operation with Google and the Shadowserver Foundation. 

The firm's Counter Adversary Operations team led the operation targeting the stubborn malware infrastructure that used four separate command and control channels – designed to remain active even if parts of the network were disabled.

Targeting developer systems

Glassworm operators had been systematically targeting developers since early 2025.

Developers were high value targets as they had access to source code repositories, cloud systems, CI/CD pipelines and package registries.

A single developer compromise could hence snowball into supply chain compromises impacting thousands of users and enterprises.

Trojanised VSCode extensions were published on the OpenVSX marketplace, as the extensions hid under the guise of time trackers and code formatters.

Users of Cursor, Positron, Windsurf, VSCodium and other integrated development environments (IDEs) could also fall victim to these in addition to VSCode users.

Attackers had also compromised npm and Python packages, introducing malicious code through post-install hooks and set-up scripts. According to CrowdStrike, this code executed silently during routine dependency installation.

Poisoned GitHub repositories added to the campaign, with credentials harvested from earlier Glassworm infections used to force-push and poison more than 300 repositories.

A Node.js remote access tool called GlasswormRAT was also uncovered. The cross-platform operation affected Windows, macOS and Linux.

This botnet, according to CrowdStrike, was operated by criminals based in Russia.

Decentralised infrastructure design

Engineered for persistence, the infrastructure adopted decentralised technologies to make malware operations harder to detect and dismantle. 

Multiple communication methods allowed infected devices to continue receiving instructions even if one system failed.

The botnet's command and control server addresses were encoded in the memo fields of Solana blockchain transactions.

This created "an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means," as CrowdStrike puts it.

A distributed file sharing system that allows people to share files across the internet called BitTorrent, was also leveraged by threat actors.

The GlasswormRAT queried the BitTorrent Distributed Hash Table for hardcoded public keys. 

Google Calendar events and commercial virtual servers were also used by attackers to distribute instructions and payloads to infected machines.

CrowdStrike calls this "a dynamic front protecting the actual C2 servers behind multiple layers of indirection".

Coordinated disruption operation

Disrupting a botnet of this architecture "required precision and timing," according to CrowdStrike. 

"All four channels had to be disrupted simultaneously in a coordinated effort," CrowdStrike says. The operators could have quickly reconstituted if only one channel was targeted.

Alessandro Guggino, Senior Security Researcher at CrowdStrike notes on his LinkedIn: "CrowdStrike played offense and brought the fight to the adversary.

"The Counter Adversary Operations team disrupted a global botnet built for resilience, engineered with four distinct command and control (C2) channels to be nearly impossible to take down."

"The C2 architecture relied on two decentralised networks that were taken over and eclipsed - the Solana blockchain and the BitTorrent distributed hash table (DHT) – as well as Google Calendar events and commercial virtual servers, taken down by our operation partners," Alessandro says.

"As a result, infected machines can no longer receive new instructions or payloads."

The incident could serve as a reminder that security requires proactive threat hunting, collaborative intelligence sharing and tactical disruption.

Traditional security efforts that focus only on detection may struggle against adversaries using decentralised infrastructure and layered command systems.

Therefore, defenders are increasingly working together to dismantle the infrastructure that powers organised cybercrime.