CrowdStrike, Google slay 'unkillable' Glassworm botnet targeting devs

Security vendor CrowdStrike said it has taken down the command and control (C2) channels used by the operators of the Glassworm botnet that has targeted developers since last year.

Earlier reports suggested the self-replicating malware's infrastructure was unkillable due to the use of the immutable and distributed Solana public blockchain for C2 dead-drops.

CrowdStrike wrote in its analysis that the Glassworm operators went further in their efforts to create resilient infrastructure, using the BitTorrent peer-to-peer (P2P) network's distributed hash table (DHT) for configuration data, stored against hard-coded public keys.

Using the BitTorrent DHT enabled the Glassworm operators to leverage a large global network with no single point of failure.

In addition, Glassworm is set up to use Google Calendar event titles as dead-drops for C2 paths, encoded with Base64, and the malware also used commercial virtual private service providers to deliver its final payload.

"Disrupting this architecture required precision and timing," CrowdStrike said.

"Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute.

"All four channels had to be disrupted simultaneously in a coordinated effort."

Although CrowdStrike appears to have launched an Eclipse attack on the DHT, as per the company's technical blog post, it declined to provide further details on how this was done so as to disrupt the flow of C2 configuration data.

Crowdstrike also said there were multiple wallets on the Solana blockchain that were subject to a "takeover"; however, the security vendor did respond to a question from iTnews what this entailed, such as the capture of private encryption keys.

"As a result, infected machines can no longer receive new instructions or payloads," the security vendor said. 

Glassworm has systematically targeted software developers since early 2025, hitting code repositories, cloud platforms, continual integration/continous development pipelines, and package registries, CrowdStrike said.

As the Glassworm malware checks devices for locales and languages, and quietly exits if the machine is in a post-Soviet Commonwealth of Independent States (CIS) country, CrowdStrike suggested the criminals are likely based in Russia.