**Glassworm** campaigns have been ongoing since October 2025, initially targeting developers with malicious **OpenVSX** and **Microsoft VS Code** extensions. These extensions were designed to steal cryptocurrency wallets and developer credentials. The attacks later expanded to **GitHub** repositories and **npm** packages, impacting over 400 software artifacts in one campaign during March. In a recent attack, **Glassworm** operators planted dozens of dormant extensions on **OpenVSX** that would activate their malicious components after an update. ## Resilient C2 Infrastructure One of the reasons **Glassworm** has been so persistent is its C2 infrastructure. The botnet leveraged non-traditional communication channels, making it exceptionally difficult to take down. "The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” **CrowdStrike** noted. Researchers emphasized that the botnet's operators specifically built their infrastructure for resilience. The takedown required a simultaneous hit on all four C2 channels: 1. **Solana** blockchain: C2 server addresses were encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead drop. 2. **BitTorrent** Distributed Hash Table (DHT): The **GlasswormRAT** queried the **BitTorrent** peer-to-peer network for configuration data stored against hardcoded public keys. 3. Public calendar service: **Glassworm** used **Google Calendar** event titles as dead-drop locations for Base64-encoded C2 paths. 4. Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.  *Glassworm command-and-control architecture source: CrowdStrike* Due to this architecture, disrupting a single channel would have had minimal impact, as communications could simply shift to another channel, allowing the threat actor to maintain control. ## Coordinated Takedown "All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads,” **CrowdStrike** stated. Following the disruption, all machines compromised in the **Glassworm** attack are now beaconing to the IP address 164.92.88[.]210, which is operated by **CrowdStrike**. Organizations are advised to look for this network indicator and take immediate remediation action. Researchers have also published YARA rules to help confirm infections on suspected hosts. ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)