GlasswormRAT
GlasswormRAT is a full-featured cross-platform Node.js/JavaScript remote access trojan used in the broader Glassworm software supply-chain campaign targeting software developers since at least early 2025. It has been delivered via trojanized VS Code/OpenVSX extensions, compromised npm packages using postinstall hooks, malicious Python packages using setup scripts, and poisoned GitHub repositories populated with stolen developer credentials. The campaign affected Windows, macOS, and Linux systems and heavily targeted developer ecosystems including VS Code and forks such as Cursor, Positron, Windsurf, and VSCodium.
High-confidence capabilities described in the reporting include information theft, credential harvesting, browser data theft, arbitrary code execution, theft of npm, GitHub, and Git credentials, and theft of tokens and cryptocurrency wallet data, including draining funds from wallet extensions. GlasswormRAT also installs a malicious Chrome extension used for keylogging, clipboard monitoring, and screenshot capture. Infected hosts were additionally repurposed as SOCKS proxy servers, hidden VNC servers, and remote execution nodes.
Its command-and-control architecture was notably resilient and used multiple channels: Solana blockchain transaction memo fields to store C2 server addresses, BitTorrent DHT queries using hardcoded public keys to retrieve configuration, Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths, and direct VPS-hosted servers for payload delivery. CrowdStrike, working with Google and the Shadowserver Foundation, reported a coordinated disruption of all four C2 channels on 2026-05-26. Following that operation, compromised systems were redirected to the benign sinkhole IP 164.92.88[.]210; any connection to that address was reported as an indicator of Glassworm infection requiring remediation.
CrowdStrike assessed the operators as likely Russia-based or Russian-speaking, citing CIS-avoidance checks in the malware and Russian-language comments in source code, while noting such indicators are not individually conclusive.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
26 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
5 techniques
Initial Access
More than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections
Glassworm marked a significant shift in the threat landscape... Adversaries are no longer just targeting products, they're targeting the developers who build them.
Trojanized VSCode extensions were published to the OpenVSX marketplace, disguised as popular tools like time trackers and code formatters.
Execution
3 techniques
Execution
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
2 techniques
Stealth
Credential Access
2 techniques
Credential Access
Discovery
3 techniques
Discovery
The malware checks the victim's locale, language settings, and timezone at runtime
Lateral Movement
2 techniques
Lateral Movement
Collection
4 techniques
Collection
...устанавливал вредоносное расширение Chrome для кейлогинга, слежки за буфером обмена и снятия скриншотов.
...устанавливал вредоносное расширение Chrome для кейлогинга, слежки за буфером обмена и снятия скриншотов.
Command and Control
8 techniques
Command and Control
Because of this architecture, disrupting a single channel would have little impact on the Glassworm operation, as communications could shift to another channel
Еще одним каналом служил Google Calendar: вредонос считывал закодированные Base64 адреса управляющих серверов из названий событий. | Вместо обычного C2 злоумышленники создали многослойную инфраструктуру, устойчивую к блокировкам и отключениям.
BitTorrent Distributed Hash Table (DHT) : The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys
Solana blockchain : C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead-drop... Public calendar service : Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
JavaScript-бэкдор/троян удаленного доступа, разворачиваемый Glassworm на зараженных системах. Крадет данные из браузеров, выполняет произвольный код и устанавливает вредоносное расширение Chrome для кейлогинга, мониторинга буфера обмена и создания скриншотов.
GlassWormRAT is a WebSocket-based JavaScript remote access trojan used in later GlassWorm infections to steal browser data, execute arbitrary code, and facilitate installation of a malicious Chrome extension for collecting screenshots, keystrokes, and clipboard data.
A Node.js remote access tool used in developer-focused supply chain attacks. It steals developer credentials, drains cryptocurrency wallets, deploys SOCKS proxy and hidden VNC access, infects multiple IDEs via poisoned extensions and packages, and uses resilient multi-channel C2 infrastructure including Solana transactions, BitTorrent DHT, Google Calendar, and VPS servers.
A remote access trojan/botnet used in software supply-chain attacks against developers. It was distributed via malicious OpenVSX and Microsoft VS Code extensions, later via GitHub repositories and npm packages, and stole cryptocurrency wallets and developer credentials while using a resilient multi-channel C2 architecture based on Solana blockchain transactions, BitTorrent DHT, Google Calendar dead drops, and direct VPS-hosted servers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.