Malware

Zombi

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1195.002Compromise Software Supply ChainEvidence1

"we just discovered the world's first worm targeting VS Code extensions on OpenVSX marketplace"; "Seven OpenVSX extensions compromised..."; "A new infected extension detected in Microsoft's VSCode marketplace"

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

"Persistence Mechanisms: HKCU\Software\Microsoft\Windows\CurrentVersion\Run; HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

Privilege Escalation

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence1

"Persistence Mechanisms: HKCU\Software\Microsoft\Windows\CurrentVersion\Run; HKLM\Software\Microsoft\Windows\CurrentVersion\Run"

Stealth

1 technique

T1027Obfuscated Files or InformationEvidence1

"massive base64 payload... encrypted... AES-256-CBC"; "decryption key hides in the response headers"

Credential Access

1 technique

T1555Credentials from Password StoresEvidence1

"Targets 49 different cryptocurrency wallet extensions to drain funds"; "targeting MetaMask, Phantom, Coinbase Wallet"

Lateral Movement

1 technique

T1021.005VNCEvidence1

"Installs hidden VNC servers for complete remote access"; "HVNC gives the attacker complete remote desktop access... hidden"

Command and Control

3 techniques

T1090.001Internal ProxyEvidence1

"Deploys SOCKS proxy servers, turning developer machines into criminal infrastructure"; "turn your computer into a SOCKS proxy server"

T1102.001Dead Drop ResolverEvidence1

"WebRTC P2P - Direct Peer-to-Peer Control"; "bypass traditional firewalls through NAT traversal" | "BitTorrent DHT - Decentralized Command Distribution"; "Commands are distributed through the BitTorrent DHT network"

T1102.002Bidirectional CommunicationEvidence1

"The malware reaches out to this Google Calendar event as a backup C2 mechanism... base64-encoded URL"

INDICATORS OF COMPROMISE

IOCs tracked for this family

3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

3 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting

ip.v4●●●●●●●●●●●●View more in app5 months ago

ip.v4●●●●●●●●●●●●View more in app8 months ago

ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app

the hacker newsNews

Oct 24, 2025

Self-Spreading 'GlassWorm' Infects VS Code Extensions in Widespread Supply Chain Attack

Zombi is a secondary payload deployed by GlassWorm. Written in JavaScript, it drops a SOCKS proxy, WebRTC modules for peer-to-peer communication, BitTorrent DHT for decentralized command distribution, and HVNC for remote control, turning an infection into a full compromise.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching3

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.