GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data
Cybersecurity researchers have flagged a new evolution of the GlassWorm campaign that introduces a multi-layered framework capable of stealing complete data and installing a remote access trojan (RAT), which uses an information-stealing Google Chrome extension that masquerades as an offline version of Google Docs.
“It logs keystrokes, drops cookies and time tokens, captures screenshots, and takes commands from the C2 server hidden in the Solana blockchain,” said Aikido security researcher Ilyas Makari in a report published last week.
GlassWorm is a moniker assigned to an ongoing campaign that finds its first base with stable packages published across npm, PyPI, GitHub, and the Open VSX marketplace. In addition, operators are known to compromise the accounts of project maintainers to push poisoned updates.
The attack is careful enough to avoid infecting systems with a Russian location and uses Solana sales as a dead drop solution to download the command-and-control server (C2) (“45.32.150)[.]251”) and download operating system-specific payloads.
The second layer of loading is a data theft framework with data harvesting, cryptocurrency wallet extraction, and system profiling capabilities. The collected data is compressed in a ZIP archive and exported to an external server (“217.69.3)[.]152/wall”). It also includes the function of retrieving and executing the final payload.
Once the data is transmitted, the attack chain includes downloading two additional components: a .NET binary designed to perform hardware phishing and a Websocket-based JavaScript RAT to extract web browser data and execute malicious code. The RAT payload is downloaded from “45.32.150[.]251” by using a public Google Calendar event URL as a dead-end resolver.
NET binary uses the Windows Management Instrumentation (WMI) infrastructure to detect USB device connectivity and display a phishing window when a Ledger or Trezor hardware wallet is connected.
“The Ledger UI displays a false configuration error and presents 24-digit recovery phrase input fields,” Makari noted. “Trezor UI displays a fake “Firmware verification failed, initiating emergency reboot” message with the same 24-word structure. Both windows include a ‘RESTORE WALLET’ button.”
The malware not only kills any real Ledger Live processes running on the Windows host, but also displays a phishing window when the victim closes it. The ultimate goal of the attack is to capture the packet’s passphrase and forward it to the IP address “45.150.34”.[.]158.
The RAT, on the other hand, uses a Distributed Hash Table (DHT) to obtain C2 information. In the event that the machine does not return a value, the malware switches to Solana-based lethality. The RAT then establishes a connection with the server to execute various commands on the vulnerable system –
- start_hvnc / stop_hvnc, to use the Hidden Virtual Network Computing (HVNC) module for remote desktop access.
- start_socks / stop_socks, to start the WebRTC module and run it as a SOCKS proxy.
- reget_log, to steal data from web browsers, such as Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, and Mozilla Firefox. The component is equipped to bypass encryption protections bound to the Chrome application (ABE).
- get_system_info, to send system information.
- command, to execute the JavaScript provided by the attacker with eval().
The RAT also forces the installation of a Google Chrome extension called Google Docs Offline on Windows and macOS systems, which then connects to the C2 server and receives commands issued by the operator, allowing to collect cookies, Local storage, the full Document Object Model (DOM) tree of the active tab, bookmarks, screenshots, buttons, clipboard content, up to 5.0 installed browser lists, and lists of installed browsers.
“The extension also performs targeted session monitoring. It pulls the monitored site’s rules from /api/get-url-for-watch and sends it with pre-configured Bybit (.bybit.com) as the target, watching for secure token and deviceid cookies,” Aikido said. “When received, it fires an auth-received webhook at /api/webhook/auth-received that contains the cookie material and page metadata. C2 can also provide redirect rules that enforce active tabs on attacker-controlled URLs.”
The discovery coincides with yet another change in GlassWorm’s tactics, with attackers publishing npm packages masquerading as a WaterCrawl Model Context Protocol (MCP) server (“@iflow-mcp/watercrawl-watercrawl-mcp) to distribute malicious payloads.
“This is the first confirmed step of GlassWorm into the MCP ecosystem,” said Koi security researcher Lotan Sery. “And given how fast AI-assisted development is growing – and how much trust MCP servers offer by design – this won’t be the last.”
Developers are advised to be careful when it comes to installing Open VSX extensions, npm packages, and MCP servers. It is also recommended that you verify publisher names, package histories, and avoid blindly relying on download statistics. Polish cybersecurity company AFINE has published an open-source Python tool called glassworm-hunter to scan developer systems for campaign-related payloads.
“Glassworm hunter does not make network requests during scanning,” said researchers Paweł Woyke and Sławomir Zakrzewski. “No telemetry. No phone-home. No automatic update checks. Only reads local files. Glassworm-hunter update is the only command that affects the network. It downloads the latest IoC database from our GitHub and saves it locally.”
