An industry effort involving CrowdStrike, Google and the Shadowserver Foundation has led to the disruption of the Glassworm botnet. Working together, the three organizations managed to simultaneously take down all four of Glassworm's command-and-control (C2) channels, severing the operators from their infected machines and their ability to deliver new malicious payloads. These channels included traditional C2 servers hosted on commercial virtual private servers (VPS). The botnet also relied on less common and more stealthy assets, such as Google Calendar event titles which were used as dead-drop locations for Base64-encoded C2 paths, peer-to-peer networks and blockchain-based infrastructure, notably with C2 server addresses encoded in the memo fields of transactions on the Solana blockchain. The Glassworm remote access tool queried the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys. “The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection,” CrowdStrike noted in a report published on May 26. This is why the threat hunters had to disrupt all channels simultaneously. “Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute,” CrowdStrike added. A household name in open-source software supply chain attacks, Glassworm has been a network of devices controlled by malicious operators since at least early 2025. It had been used in several multi-pronged malicious campaigns targeting software developers by poisoning open-source packages they rely upon across Windows, macOS and Linux systems.