CrowdStrike and Google Disrupt Global Glassworm Botnet

Researchers from CrowdStrike, Google, and the Shadowserver Foundation disrupted the Glassworm botnet this month after taking down its command-and-control infrastructure.

The operation stops a sophisticated supply-chain attack that targeted software developers globally. By poisoning the tools developers use to build software, the botnet could have introduced vulnerabilities into a vast array of third-party applications.

Glassworm utilized a resilient architecture to maintain communication with infected hosts. The botnet operated through four distinct command-and-control channels ^[1]. These channels leveraged the Solana blockchain and the BitTorrent Distributed Hash Table (DHT) network to hide their traffic and avoid detection by traditional security monitors.

This infrastructure allowed the attackers to target the open-source community with precision. According to researchers, the botnet poisoned more than 300 GitHub repositories ^[2]. This method of attack, known as supply-chain poisoning, allows malware to spread when developers unknowingly download and integrate compromised code into their own projects.

The joint effort between the three organizations focused on dismantling the communication links between the botnet controllers and the infected systems. By neutralizing these channels, the researchers halted the botnet's ability to send new instructions or exfiltrate data from the compromised repositories.

Security analysts said that the use of blockchain technology for command-and-control represents a shift toward more decentralized and harder-to-track malware operations. The disruption of Glassworm prevents further software compromises that could have impacted millions of end-users who rely on the affected GitHub repositories ^[2].