CrowdStrike has detailed how it joined forces with Google and Shadowserver Foundation in a coordinated effort to take down the Glassworm botnet.
Glassworm was a sophisticated malware operation that targeted software developers through malicious packages and extensions.
The endpoint security firm reported that the operation disrupted all four of Glassworm’s command-and-control (C2) channels simultaneously on Tuesday afternoon UTC, cutting operators off from infected machines and preventing them from delivering new malware payloads.
The worm that turned
Glassworm first emerged in October 2025, when researchers from Koi Security identified a self-replicating worm spreading through VS Code extensions on the Open VSX marketplace.
The malware later expanded to npm and Python packages before compromising more than 300 GitHub repositories using stolen developer credentials.
The malware infected Windows, macOS, and Linux systems, stealing credentials, crypto wallet data, and sensitive information while also deploying a remote access trojan (RAT) that allowed attackers to control infected machines remotely.
Glassworm’s infrastructure was deliberately designed to survive traditional takedown attempts, CrowdStrike writes.
Instead of relying on a single server, the malware used four separate communication methods to receive instructions from its operators.
These included hidden instructions stored on the Solana blockchain, the BitTorrent peer-to-peer network, encoded data hidden in Google Calendar event titles, and conventional command servers hosted on commercial infrastructure.
CrowdStrike said that this layered system was intended to ensure the malware could continue operating even if one channel was removed.
“Taking down only one channel would have left the others operational, allowing operators to quickly reconstitute."
CrowdStrike blog
“All 4 channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads,” CrowdStrike added.
Check if your data has been leaked
The security firm believes the operators are likely based in Russia, with researchers pointing to malware checks that avoided infecting systems in former Soviet Republic countries, Russian-language comments in the code, and patterns commonly associated with Russian cybercriminal groups.
The disruption comes as another self-replicating worm, Mini Shai-Hulud, burrowed its way through open-source software tools this month – with targets including TanStack and Mistral AI – poisoning source code in GitHub repositories and npm packages in similar supply-chain attacks.
It takes a cyber village…
While it’s not clear what Google Threat Intelligence's exact role in the operation was, chief analyst John Hultquist said the operation demonstrated the importance of collaboration between tech companies, researchers, and law enforcement.
“As part of our disruption efforts, we are working with partners to bring more pain to attackers, especially when we see them abusing our products or targeting our users," he said in a post on X.
Fellow partner, the Shadowserver Foundation is a cybersecurity nonprofit that helps identify, track, and disrupt cybercrime infrastructure.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked