CrowdStrike, Google, and Shadowserver Disrupt GlassWorm Command‑and‑Control Channels

CrowdStrike, in partnership with Google and the Shadowserver Foundation, announced the simultaneous disruption of all command‑and‑control (C2) channels associated with the GlassWorm persistent software chain campaign. GlassWorm has been targeting software developers through malicious packages and extensions since at least early 2025, using a sophisticated supply‑chain attack that injects malicious code into legitimate development tools. The disruption was achieved by blocking the domains and IP addresses used by the threat actors to communicate with infected systems. The campaign’s payloads include a backdoor that can be triggered via a custom HTTP header, allowing remote control of the victim’s machine. The attackers also leveraged a zero‑day vulnerability in a popular code editor to gain initial access. The joint effort by CrowdStrike, Google, and Shadowserver was coordinated through the Shadowserver Foundation’s threat intelligence feeds. The disruption has effectively cut off the threat actors’ ability to receive updates and exfiltrate data from compromised systems. Researchers recommend monitoring for residual activity and updating endpoint protection to detect any remaining GlassWorm components.

The GlassWorm campaign uses a multi‑stage approach, starting with a malicious extension that installs a hidden DLL on the victim’s machine. The DLL establishes a reverse shell to a remote server, enabling the attackers to execute arbitrary commands. The threat actors also use a custom domain that mimics a legitimate software vendor, making it difficult for users to detect the malicious traffic. The disruption of the C2 channels was announced on 12 May 2026, and the threat actors have not yet re‑established communication. The incident highlights the importance of supply‑chain security and the effectiveness of coordinated threat‑intel sharing.