GlassWorm Malware Uses Solana Dead Drops to Deploy RAT, Steal Browser Credentials and Crypto Wallets
What Happened — Researchers identified a new GlassWorm variant that leverages “dead‑drop” addresses on the Solana blockchain to deliver a multi‑stage payload. The payload installs a malicious Google Chrome extension masquerading as an offline Google Docs viewer, which logs keystrokes, dumps cookies and session tokens, captures screenshots, and extracts cryptocurrency wallet data.
Why It Matters for TPRM —
- Browser‑based malware can bypass traditional network perimeters, exposing any third‑party that allows uncontrolled extensions.
- Use of blockchain dead drops evades conventional URL filtering, increasing the attack surface for partners handling crypto assets.
- Stolen credentials and wallet keys can be leveraged to compromise downstream SaaS services and financial platforms.
Who Is Affected — Cryptocurrency exchanges, fintech firms, SaaS providers, and any organization whose employees use Chrome for web‑based financial workflows.
Recommended Actions — Review and harden extension‑allowance policies, block unsigned Chrome extensions, monitor outbound traffic to known Solana dead‑drop addresses, enforce MFA for privileged accounts, and run endpoint‑detection‑and‑response (EDR) hunts for GlassWorm IOCs.
Technical Notes — Attack vector: malicious Chrome extension delivered via Solana blockchain dead drops; no public CVE; data stolen includes keystrokes, cookies, session tokens, screenshots, and private keys for crypto wallets. Source: The Hacker News