GlassWorm

GlassWorm is a worm that propagated through supply chain attacks by compromising repository credentials from victim environments and having malicious payloads added to those compromised accounts for distribution to victims across the various development ecosystems.^[1]^[2]^[3] GlassWorm has numerous variants, including Rust binaries, encrypted JavaScript and a variant leveraging invisible Unicode characters that made reverse engineering difficult.^[4]^[1]^[5] GlassWorm has employed a unique command and control (C2) methodology using Solana blockchain.^[6]^[1] GlassWorm was first reported in October 2025.^[6]^[1]^[3]

ID: S9010

ⓘ

Type: MALWARE

ⓘ

Platforms: macOS, Windows

Version: 1.0

Created: 10 April 2026

Last Modified: 24 April 2026

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	GlassWorm has used HTTP for C2 and extracts data from the HTTP response headers.^[1]
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	GlassWorm has archived collected files within a zip file prior to exfiltration to include `/tmp/out.zip`.^[3]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	GlassWorm has set registry run keys for persistence in both `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKLM\Software\Microsoft\Windows\CurrentVersion\Run\`.^[1]
Enterprise	T1217		Browser Information Discovery	GlassWorm has searched browser data for cookies, history, login databases, and cryptocurrency wallets.^[3]
Enterprise	T1059	.002	Command and Scripting Interpreter: AppleScript	GlassWorm has utilized AppleScript to include `set keychainPassword to do shell script` to execute shell command that retrieves passwords from the macOS keychain.^[4]
		.007	Command and Scripting Interpreter: JavaScript	GlassWorm has leveraged JavaScript to execute its malicious code to include its hidden Unicode characters using the `eval` call.^[6]^[1]^[2]^[3] GlassWorm has also utilized encrypted payloads compiled in JavaScript.^[4]
Enterprise	T1554		Compromise Host Software Binary	GlassWorm can modify hardware wallet applications.^[4]
Enterprise	T1543	.001	Create or Modify System Process: Launch Agent	GlassWorm has established persistence on macOS via a LaunchAgent by writing a plist under `/library/LaunchAgents`.^[4]^[3]
Enterprise	T1555	.001	Credentials from Password Stores: Keychain	GlassWorm has collected keys stored within `/Library/Keychains/login.keychain-db`.^[4]^[3]
		.003	Credentials from Password Stores: Credentials from Web Browsers	GlassWorm has gathered credentials stored in Mozilla FireFox and Chromium-based Browsers.^[4]^[3]
Enterprise	T1602	.002	Data from Configuration Repository: Network Device Configuration Dump	GlassWorm has gathered data pertaining to VPN configurations.^[4]^[3] GlassWorm has also targeted locally stored data on macOS located in `/Library/Application Support/Fortinet/FortiClient/conf/vpn.plist`.^[3]
Enterprise	T1213	.003	Data from Information Repositories: Code Repositories	GlassWorm has gathered code repository authentication materials for NPM and GitHub.^[4]^[1]^[3] GlassWorm has collected details pertaining to the npm configuration data for `_authToken`.^[1]^[3]
		.006	Data from Information Repositories: Databases	GlassWorm has collected data from macOS devices through the gathering of Apple Notes related files by targeting `/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite`, `/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-wal`, and `/Library/Group Containers/group.com.apple.notes/NoteStore.sqlite-shm`.^[3]
Enterprise	T1005		Data from Local System	GlassWorm has collected local data from a compromised host to include desktop cryptocurrency wallet data, and documents from within Desktop, Documents, and Downloads.^[3]
Enterprise	T1565	.002	Data Manipulation: Transmitted Data Manipulation	GlassWorm can intercept and modify transaction details associated with hardware wallet applications before signing.^[4]
Enterprise	T1074	.001	Data Staged: Local Data Staging	GlassWorm has staged collected data in a working directory within a temp folder to include `/tmp/ijewf`.^[4]^[3]
Enterprise	T1678		Delay Execution	GlassWorm has used a timeout function set to `9e5` which delays execution 900,000 milliseconds or 15 minutes to avoid detection.^[4]
Enterprise	T1140		Deobfuscate/Decode Files or Information	GlassWorm has decoded its Base64 instructions.^[1] GlassWorm has also decrypted its AES protected payloads.^[4]^[1]^[3]
Enterprise	T1480		Execution Guardrails	GlassWorm has utilized logic to avoid executing on Russian based devices.^[3]
Enterprise	T1008		Fallback Channels	GlassWorm has utilized Google Calendar as backup C2.^[1]^[5]
Enterprise	T1657		Financial Theft	GlassWorm has the ability to steal credentials for cryptocurrency wallets.^[4]^[1]^[3]
Enterprise	T1564	.003	Hide Artifacts: Hidden Window	GlassWorm has leveraged Hidden Virtual Network Computing (HVNC) to remain undetected and conduct execution of collection and communication actions.^[1]
Enterprise	T1105		Ingress Tool Transfer	GlassWorm has downloaded additional payloads from C2.^[4]^[6]^[3]^[5]
Enterprise	T1036		Masquerading	GlassWorm has masqueraded as legitimate VSCode extensions.^[2]^[5] GlassWorm has also impersonated Github projects.^[2]
Enterprise	T1571		Non-Standard Port	GlassWorm has distributed C2 using BitTorrent’s Distributed Hash Table (DHT) network to harness a decentralized command capability.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	GlassWorm has leveraged AES-256-CBC encryption to obfuscate its malicious JavaScript payload.^[4]^[1]^[3]^[5] GlassWorm has also utilized Base64 encoding to obfuscate the C2 details stored in the Solana memo field.^[4]^[1]^[5]
		.018	Obfuscated Files or Information: Invisible Unicode	GlassWorm has utilized invisible Unicode Private Use Area (PUA) characters to obfuscate its malicious code so that it does not render in code editors.^[4]^[1]^[2]
Enterprise	T1090	.001	Proxy: Internal Proxy	GlassWorm has leveraged peer-to-peer software to facilitate communications within the victim network to include the software WebRTC.^[1] GlassWorm has also established a SOCKS proxy to interact with victim devices that also acted as a proxy node for follow-on behaviors.^[1]
Enterprise	T1518		Software Discovery	GlassWorm has searched for existing wallet applications to include Ledger Live and Trezor Suite.^[4]
Enterprise	T1539		Steal Web Session Cookie	GlassWorm has harvested Safari cookies stored within `/Library/Containers/com.apple.Safari/Data/Library/Cookies/ Cookies.binarycookies`.^[3] GlassWorm has also stolen cookies within Chromium and Firefox browsers.^[4]^[3]
Enterprise	T1195	.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools	GlassWorm has spread through Visual Studio extensions.^[1]^[2]^[3] GlassWorm has also spread through JavaScript projects hosted on Github.^[2]
Enterprise	T1082		System Information Discovery	GlassWorm has the ability to check the OS of the victim host.^[3]^[5] GlassWorm has checked whether the OS platform value includes `darwin` prior to execution of macOS specific scripts.^[3]^[5]
Enterprise	T1614		System Location Discovery	GlassWorm has leveraged geofencing logic to detect whether it is operating in a Russian associated time zone to determine whether it continues to execute.^[3]
		.001	System Language Discovery	GlassWorm has identified the system language settings by checking for `ru_RU`, `ru-RU`, `ru`, and `Russian` to prevent execution in a Russian associated device.^[3]
Enterprise	T1124		System Time Discovery	GlassWorm has the ability to check the system’s time zone on the victim device.^[3]
Enterprise	T1102	.001	Web Service: Dead Drop Resolver	GlassWorm has leveraged blockchain-based C2 infrastructure to include Solana blockchain that contains additional C2 details within the memo field.^[4]^[6]^[1]^[2]^[3]^[5] GlassWorm has also leveraged Google Calendar to host encoded data.^[1]^[3]^[5]

GlassWorm

Enterprise Layer

Techniques Used

References