Google, CrowdStrike take down ‘Glassworm’ Botnet hacking attack targeting software developers

In what can be called a major victory for software supply-chain security, a group of global tech giants and cybersecurity researchers has successfully disrupted “Glassworm,” a resilient botnet that had been targeting software developers for months. According to a blog by CrowdStrike, a coordinated operation conducted by security teams from CrowdStrike, Google and The Shadowserver Foundation cut off the botnet operators’ access to their command-and-control (C2) network. The operation required a simultaneous strike across four distinct digital channels that the hackers had cleverly designed to resist conventional takedown efforts, the blog said.The Glassworm botnet has specifically targeted software developers since October 2025 to steal cryptocurrency wallets and sensitive developer credentials. The hackers used multiple waves of attacks to infiltrate the software supply chain. These include, planting infected Microsoft VS Code and OpenVSX extensions. The hackers have even hid dozens of dormant extensions on OpenVSX that would only turn malicious after a software update was installed. The attacks later expanded to GitHub repositories with one massive campaign in March alone is claimed to have compromised more than 400 software artifacts.The Glassworm threat managed to survive for so long because its operators built a highly resilient infrastructure. Instead of relying on a standard central server, which authorities can easily shut down, the botnet hid its communication channels across blockchain technology, peer-to-peer networks, and legitimate web services.To completely dismantle the botnet, researchers had to hit all four of its communication channels at the exact same time:Solana blockchain: C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means.BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.Public calendar service: Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.According to CrowdStrike, knocking out just one or two of these channels would have done nothing, as the malware would have automatically shifted to another live channel to keep running.