{ "iim_version": "1.1", "chain_id": "glassworm.2026.developer-supply-chain.multi-resolver-c2", "title": "Glassworm developer supply-chain infection to redundant multi-resolver C2", "description": "IIM chain for Glassworm as documented by CrowdStrike on 2026-05-26: the operators targeted developers through OpenVSX/VS Code-style extensions, npm and Python packages, and poisoned GitHub repositories. The installed malware delivered Glassworm downloader/RAT capability and resolved operational endpoints through four resilient C2 channels: Solana transaction memo dead-drops, BitTorrent DHT configuration lookup, Google Calendar event-title dead-drops, and direct commercial VPS C2 servers. CrowdStrike, Google and Shadowserver disrupted the channels simultaneously. Exact malicious package names and original VPS C2 addresses were not published in the source article; this chain models the confirmed infrastructure architecture without inventing unpublished IoCs.", "actor_id": "Glassworm", "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "needs_review": false, "import_source": "manual-osint-report-to-iim-conversion", "x_source": { "title": "Disrupting Glassworm: Inside CrowdStrike's Takedown of a Developer-Targeting Botnet", "publisher": "CrowdStrike", "url": "https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/", "published_at": "2026-05-26", "retrieved_at": "2026-05-27T13:01:04Z", "note": "Original source only. TheHackerNews was intentionally not used as a source for this chain." }, "x_limitations": [ "CrowdStrike published the resilient C2 architecture and a post-takedown benign beacon indicator, but did not publish exact malicious package names or the original direct VPS C2 addresses in the article.", "Marketplace/package/repository nodes are therefore represented as report-backed entry classes, not as specific package-name IoCs.", "The 164.92.88[.]210 IP is CrowdStrike-operated after disruption and is included as a post-takedown infection indicator, not as attacker-owned infrastructure." ], "entities": [ { "id": "e001", "type": "file", "value": "Trojanized VS Code / OpenVSX extension package", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike states that Trojanized VSCode extensions were published to the OpenVSX marketplace and disguised as popular developer tools such as time trackers and code formatters.", "The same report says the malicious extensions targeted VSCode and compatible developer environments including Cursor, Positron, Windsurf and VSCodium.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Developer IDE extension marketplace entry point." }, { "id": "e002", "type": "file", "value": "Compromised npm package with postinstall hook", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike reports that compromised npm packages introduced malicious code through postinstall hooks.", "The report emphasizes that this executes silently during routine dependency installation.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "npm dependency-install execution path." }, { "id": "e003", "type": "file", "value": "Compromised Python package with setup script", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike reports that compromised Python packages introduced malicious code through setup scripts.", "The report frames npm and Python package abuse as part of the same developer supply-chain entry surface.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "PyPI/Python package-install execution path." }, { "id": "e004", "type": "url", "value": "github://poisoned-default-branches/more-than-300-repositories", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike states that more than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections.", "The report says malicious code was force-pushed into default branches, preserving original commit author and date metadata.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "GitHub repository poisoning as a secondary supply-chain entry path." }, { "id": "e005", "type": "file", "value": "Glassworm downloader / installer stage", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike shares a YARA rule named CrowdStrike_GlasswormDownloader_01 for an obfuscated Python installer variant.", "The broader report describes Glassworm as cross-platform and able to deliver new malicious payloads through its C2 channels.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Installer/downloader stage that bridges initial supply-chain compromise to payload execution." }, { "id": "e006", "type": "file", "value": "GlasswormRAT Node.js remote access tool", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike identifies GlasswormRAT as a full-featured Node.js remote access tool.", "The report states that campaign capabilities include information theft, credential harvesting and GlasswormRAT deployment across Windows, macOS and Linux.", "CrowdStrike also publishes a YARA rule named CrowdStrike_GlasswormRat_01 with strings including DownloadManager, start_socks, Node.js download URL and DHT bootstrap behavior.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Remote access/payload component that queries resolver infrastructure and receives instructions." }, { "id": "e007", "type": "url", "value": "solana://transaction-memo/c2-server-addresses", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike says Glassworm encoded C2 server addresses in Solana transaction memo fields.", "The report describes this as an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Blockchain memo dead-drop resolver for current C2 locations." }, { "id": "e008", "type": "url", "value": "bittorrent-dht://hardcoded-public-keys/configuration-data", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike says GlasswormRAT queries the BitTorrent DHT for configuration data stored against hardcoded public keys.", "The report characterizes BitTorrent DHT as a decentralized channel with no single point of failure.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Peer-to-peer resolver/configuration layer." }, { "id": "e009", "type": "url", "value": "google-calendar://event-title/base64-encoded-c2-paths", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike says Glassworm used Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.", "The report lists the public calendar service as one of four C2 channels disrupted during the coordinated operation.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Legitimate calendar service abused as a C2 path dead-drop." }, { "id": "e010", "type": "domain", "value": "commercial VPS-hosted direct C2 infrastructure (exact addresses not published)", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike states that traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.", "The report describes this VPS layer as the direct server connection channel behind the dynamic resolver front.", "CrowdStrike did not publish exact original VPS hostnames or IP addresses in the article.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Terminal C2/payload-delivery layer behind the resolver stack." }, { "id": "e011", "type": "ip", "value": "164.92.88.210", "observed_at": "2026-05-26T14:00:00Z", "source": "CrowdStrike Counter Adversary Operations, 2026-05-26", "evidence": [ "CrowdStrike states that all Glassworm-infected machines now beacon to benign CrowdStrike-operated IP address 164.92.88[.]210 after the takedown.", "The report recommends reviewing logs and endpoint telemetry for connections to this address as an infection indicator.", "This IP is included as a post-disruption sinkhole/benign beacon indicator, not as attacker-owned C2.", "Original source: https://www.crowdstrike.com/en-us/blog/inside-crowdstrike-takedown-of-a-developer-targeting-botnet/" ], "x_public_summary": "Post-takedown benign beacon/sinkhole indicator." } ], "chain": [ { "entity_id": "e001", "role": "entry", "techniques": [ "IIM-T006" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "OpenVSX/VSCode extension marketplace is modeled as trusted developer-platform abuse." }, { "entity_id": "e002", "role": "entry", "techniques": [ "IIM-T006" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "npm package registry abuse is modeled as trusted developer-platform abuse." }, { "entity_id": "e003", "role": "entry", "techniques": [ "IIM-T006" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "Python package ecosystem abuse is modeled as trusted developer-platform abuse." }, { "entity_id": "e004", "role": "entry", "techniques": [ "IIM-T006" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "GitHub poisoning is an additional trusted-site supply-chain entry path using harvested credentials." }, { "entity_id": "e005", "role": "staging", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "Installer/downloader stage is included for chain composition; its host-side behavior is outside IIM technique scope." }, { "entity_id": "e006", "role": "payload", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "GlasswormRAT is payload capability; resolver/C2 infrastructure is represented by following nodes." }, { "entity_id": "e007", "role": "redirector", "techniques": [ "IIM-T013" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "Solana memo fields publish current C2 server addresses and therefore act as a dead-drop resolver." }, { "entity_id": "e008", "role": "redirector", "techniques": [ "IIM-T013" ], "role_confidence": "confirmed", "technique_confidence": "likely", "needs_review": false, "review_notes": "BitTorrent DHT configuration lookup is modeled as a decentralized dead-drop/configuration resolver. IIM has no dedicated DHT technique yet." }, { "entity_id": "e009", "role": "redirector", "techniques": [ "IIM-T006", "IIM-T013" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "Google Calendar is a trusted third-party service used as a dead-drop location for Base64 C2 paths." }, { "entity_id": "e010", "role": "c2", "techniques": [ "IIM-T002" ], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": false, "review_notes": "Commercial VPS direct C2 was confirmed by CrowdStrike; exact VPS IoCs were not published in the article." }, { "entity_id": "e011", "role": "c2", "techniques": [], "role_confidence": "confirmed", "technique_confidence": "confirmed", "needs_review": true, "review_notes": "This is a benign CrowdStrike-operated post-takedown endpoint. Keep visible as infection indicator, but do not treat it as attacker-owned infrastructure." } ], "relations": [ { "from": "e001", "to": "e005", "type": "execute", "sequence_order": 1, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike states Trojanized OpenVSX/VSCode extensions were part of the developer-targeting supply-chain campaign.", "The malicious extension package acts as an entry vector into the Glassworm infection chain." ] }, { "from": "e002", "to": "e005", "type": "execute", "sequence_order": 2, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike specifically describes npm postinstall hooks executing malicious code during dependency installation.", "This maps to package install triggering the downloader/installer stage." ] }, { "from": "e003", "to": "e005", "type": "execute", "sequence_order": 3, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike describes Python package setup scripts executing malicious code during routine installation.", "This maps to package install triggering the downloader/installer stage." ] }, { "from": "e004", "to": "e005", "type": "drops", "sequence_order": 4, "observed_at": "2026-05-26T14:00:00Z", "confidence": "likely", "x_evidence": [ "CrowdStrike says malicious code was force-pushed into more than 300 GitHub repositories using stolen developer credentials.", "The exact payload material per repository is not published, so this relation is marked likely rather than confirmed." ] }, { "from": "e005", "to": "e006", "type": "drops", "sequence_order": 5, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike publishes separate YARA coverage for a Glassworm downloader/installer variant and GlasswormRAT.", "The report states the operation delivered a full-featured Node.js remote access tool dubbed GlasswormRAT." ] }, { "from": "e006", "to": "e007", "type": "connect", "sequence_order": 6, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike says C2 server addresses were encoded in Solana transaction memo fields.", "This is one of the four Glassworm C2 channels disrupted on 2026-05-26." ] }, { "from": "e006", "to": "e008", "type": "connect", "sequence_order": 7, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike says GlasswormRAT queried the BitTorrent DHT for configuration data stored against hardcoded public keys.", "The GlasswormRAT YARA rule includes DHT bootstrap-related strings." ] }, { "from": "e006", "to": "e009", "type": "connect", "sequence_order": 8, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike says Google Calendar event titles were used as dead-drop locations for Base64-encoded C2 paths.", "The public calendar service was disrupted as part of the coordinated takedown." ] }, { "from": "e007", "to": "e010", "type": "references", "sequence_order": 9, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike states Solana memo fields contained C2 server addresses.", "The report describes resolver layers as a dynamic front protecting actual C2 servers." ] }, { "from": "e008", "to": "e010", "type": "references", "sequence_order": 10, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike states the DHT channel was used for configuration data stored against hardcoded public keys.", "The configuration channel is part of the same resilient architecture leading to terminal C2/payload delivery." ] }, { "from": "e009", "to": "e010", "type": "references", "sequence_order": 11, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike states Google Calendar event titles stored Base64-encoded C2 paths.", "Those paths belong to the terminal C2/payload-delivery layer hosted on commercial VPS infrastructure." ] }, { "from": "e006", "to": "e010", "type": "communicates-with", "sequence_order": 12, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike identifies direct server connections as the fourth C2 channel.", "The report states commercial VPS-hosted traditional C2 infrastructure served as the final payload delivery mechanism." ] }, { "from": "e006", "to": "e011", "type": "communicates-with", "sequence_order": 13, "observed_at": "2026-05-26T14:00:00Z", "confidence": "confirmed", "x_evidence": [ "CrowdStrike states infected machines now beacon to benign CrowdStrike-operated 164.92.88[.]210 after the takedown.", "This relation is included as a post-disruption infection indicator, not as an attacker-controlled C2 relation." ], "x_relation_scope": "post-takedown-benign-sinkhole" } ], "attack_annotations": [ { "technique_id": "T1195", "name": "Supply Chain Compromise", "tactic": "Initial Access", "comment": "Initial access through developer tooling, package registries and poisoned repositories." }, { "technique_id": "T1102", "name": "Web Service", "tactic": "Command and Control", "comment": "Use of legitimate services and public platforms for resolver/dead-drop behavior." } ], "x_publication": { "suggested_slug": "glassworm-developer-supply-chain-multi-resolver-c2", "tlp": "clear", "source_status": "original-source-only", "share_enabled": true, "feed_tags": [ "glassworm", "developer-supply-chain", "openvsx", "npm", "pypi", "github", "solana", "bittorrent-dht", "google-calendar", "c2-resilience" ] } }