Glassworm Botnet Disrupted After Multi‑Channel C2 Takedown Halts Developer‑Targeted Supply‑Chain Attacks
What Happened — Researchers from CrowdStrike, Google, and the Shadowserver Foundation jointly dismantled the four‑layer command‑and‑control (C2) infrastructure used by the Glassworm botnet. The botnet, which had been abusing malicious VS Code and OpenVSX extensions to steal cryptocurrency wallets and developer credentials, can no longer receive new instructions or payloads.
Why It Matters for TPRM —
- A supply‑chain threat that compromises development tools can propagate malicious code into any downstream product.
- The botnet’s use of blockchain, BitTorrent DHT, and public calendar services illustrates how attackers can hide C2 traffic in legitimate, hard‑to‑block services.
- Successful takedown shows the value of coordinated threat‑intel sharing; vendors must verify that their own tooling and CI/CD pipelines are not being leveraged as inadvertent C2 relays.
Who Is Affected — Software development firms, SaaS platforms, open‑source package registries (e.g., npm, OpenVSX), and any organization that integrates third‑party VS Code extensions.
Recommended Actions —
- Audit all third‑party extensions and plugins used in development environments.
- Enforce strict code‑signing and provenance checks for VS Code extensions and npm packages.
- Monitor blockchain transaction memos and public calendar events for anomalous patterns that could indicate dead‑drop activity.
- Verify that your CSP and endpoint security solutions can detect non‑traditional C2 channels.
Technical Notes — The botnet leveraged four C2 channels: (1) Solana blockchain memo fields, (2) BitTorrent Distributed Hash Table, (3) Google Calendar event titles, and (4) traditional VPS‑hosted servers. Malicious extensions harvested cryptocurrency wallet seeds and developer credentials. No CVE was directly involved; the threat relied on abuse of legitimate services. Source: BleepingComputer