{"id":256972,"date":"2026-05-27T06:10:00","date_gmt":"2026-05-27T10:10:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/27\/glassworm-botnet-disrupted-securityweek\/"},"modified":"2026-05-27T12:10:30","modified_gmt":"2026-05-27T16:10:30","slug":"glassworm-botnet-disrupted-securityweek","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/27\/glassworm-botnet-disrupted-securityweek\/","title":{"rendered":"GlassWorm Botnet Disrupted &#8211; SecurityWeek"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/glassworm-botnet-disrupted\/\">GlassWorm Botnet Disrupted &#8211; SecurityWeek<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/glassworm-botnet-disrupted\/\">https:\/\/www.securityweek.com\/glassworm-botnet-disrupted\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-27 06:10:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<p class=\"wp-block-paragraph\"><strong>The GlassWorm botnet that has been targeting the open source software ecosystem for over six months has been disrupted, cybersecurity firm CrowdStrike reports.<\/strong><\/p>\n<p class=\"wp-block-paragraph\">Together with Google and the Shadowserver Foundation, CrowdStrike took down GlassWorm\u2019s four command-and-control (C&#038;C) channels simultaneously, preventing access to the infected machines and the delivery of fresh payloads.<\/p>\n<p class=\"wp-block-paragraph\">The malware has been using the Solana blockchain for C&#038;C infrastructure, with Google Calendar, the BitTorrent peer-to-peer network, and traditional servers hosted on commercial VPS providers serving as backup C&#038;Cs.<\/p>\n<p class=\"wp-block-paragraph\">GlassWorm\u2019s operators have been encoding C&#038;C addresses in the memo fields of blockchain transactions, which cannot be modified or deleted.<\/p>\n<p class=\"wp-block-paragraph\">The BitTorrent network was used to store configuration data against hardcoded public keys, Google Calendar was used to store Base64-encoded C&#038;C paths in event titles, and the traditional C&#038;C servers were used to host payloads.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns \u2014 a dynamic front protecting the actual C&#038;C servers behind multiple layers of indirection,\u201d CrowdStrike notes.<\/p>\n<p><span class=\"zox-ad-label\">Advertisement. Scroll to continue reading.<\/span><\/p>\n<p class=\"wp-block-paragraph\">By taking down all four channels at the same time, the cybersecurity firms severed the operators\u2019 access to the infected machines and their ability to deliver new instructions.<\/p>\n<p class=\"wp-block-paragraph\">First spotted in October 2025, GlassWorm has been relying on Unicode variation selectors to hide its code in code editors and make it invisible to the human eye.<\/p>\n<p class=\"wp-block-paragraph\">The self-propagating malware was initially distributed via trojanized Visual Studio extensions via the OpenVSX marketplace. In November, however, it also emerged on GitHub.<\/p>\n<p class=\"wp-block-paragraph\">In 2026, GlassWorm attacks continued to target VS developers and other open source software ecosystems. In March, multiple Python projects were compromised.<\/p>\n<p class=\"wp-block-paragraph\">\u201cThe operators&#8230;<\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/glassworm-botnet-disrupted\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>GlassWorm Botnet Disrupted &#8211; SecurityWeek https:\/\/www.securityweek.com\/glassworm-botnet-disrupted\/ Publish Date: 2026-05-27 06:10:00 Source Domain: www.securityweek.com The GlassWorm&#8230;<\/p>\n","protected":false},"author":1,"featured_media":256973,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2024\/09\/botnet.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-256972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256972"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=256972"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256972\/revisions"}],"predecessor-version":[{"id":256974,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/256972\/revisions\/256974"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/256973"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=256972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=256972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=256972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}