Cybersecurity researchers have warned of a new evolution in the GlassWorm campaign. The campaign provides a multi-stage framework capable of comprehensive data theft and installation of a remote access trojan (RAT) that deploys an information-stealing Google Chrome extension disguised as an offline version of Google Docs.
“It logs keystrokes, dumps cookies and session tokens, captures screenshots, and retrieves commands from C2 servers hidden in Solana blockchain notes,” Aikido security researcher Ilyas Makari said in a report published last week.
GlassWorm is the nickname assigned to a persistent campaign that gained its first foothold through malicious packages published across the npm, PyPI, GitHub, and Open VSX marketplaces. Additionally, operators have been known to compromise project administrator accounts and push tainted updates.
The attack takes great care to avoid infecting systems with Russian locales and uses Solana transactions as a dead drop resolver to command and control (C2) servers (obtaining “45.32.150”).[.]251″) and download the operating system-specific payload.
The stage 2 payload is a data theft framework with credential harvesting, cryptocurrency wallet exfiltration, and system profiling capabilities. The collected data is compressed into a ZIP archive and extracted to an external server (“217.69.3”).[.]152/wall”). It also includes the ability to retrieve and launch the final payload.
Once the data is submitted, the attack chain involves fetching two additional components: a .NET binary designed to perform hardware wallet phishing, and a WebSocket-based JavaScript RAT that siphons web browser data and executes arbitrary code. The RAT payload is taken from “45.32.150”.[.]251″ uses public Google Calendar event URLs as dead drop resolvers.
The .NET binary leverages the Windows Management Instrumentation (WMI) infrastructure to detect the connection of a USB device and display a phishing window when a Ledger or Trezor hardware wallet is connected.
“The Ledger UI displays a bogus configuration error and displays 24 numbered recovery phrase input fields,” Makari noted. “Trezor UI displays a fake “Firmware Verification Failed. Initiating Emergency Reboot” message with the same 24-word input layout. Both windows include a “Restore Wallet” button. ”
The malware not only kills the actual Ledger Live process running on the Windows host, but also redisplays the phishing window when the victim closes it. The ultimate goal of the attack is to capture the wallet recovery phrase and send it to IP address 45.150.34.[.]158″
RAT, on the other hand, uses a distributed hash table (DHT) to obtain C2 details. If this mechanism does not return a value, the malware switches to a Solana-based dead drop. The RAT then establishes communication with the server and executes various commands on the compromised system.
start_hvnc / stop_hvnc, deploys the Hidden Virtual Network Computing (HVNC) module for remote desktop access. start_socks / stop_socks, start the WebRTC module and run it as a SOCKS proxy. reget_log steals data from web browsers such as Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, and Mozilla Firefox. This component has the ability to bypass Chrome’s App Bind Encryption (ABE) protection. get_system_info, sends system information. The command is used to execute attacker-provided JavaScript via eval().
The RAT also forces the installation of a Google Chrome extension named Google Docs Offline on Windows and macOS systems. This connects to the C2 server and receives commands issued by operators. This allows us to collect cookies, localStorage, the complete Document Object Model (DOM) tree of the active tab, bookmarks, screenshots, keystrokes, clipboard contents, up to 5,000 browser history entries, and a list of installed extensions.
“This extension also performs targeted session monitoring. It retrieves the monitored site rules from /api/get-url-for-watch, ships with Bybit (.bybit.com) preconfigured as a target, and monitors secure tokens and device ID cookies,” Aikido said. “Once detected, it launches an auth-detected webhook to /api/webhook/auth-detected containing cookie material and page metadata. The C2 can also provide redirect rules that force the active tab to an attacker-controlled URL.”
This discovery is consistent with a further shift in GlassWorm tactics, with the attacker publishing an npm package that impersonates a WaterCrawl Model Context Protocol (MCP) server (‘@iflow-mcp/watercrawl-watercrawl-mcp)’ and distributes a malicious payload.
“This is the first confirmation of GlassWorm moving into the MCP ecosystem,” said Lotan Sery, security researcher at Koi. “And given how quickly AI-assisted development is growing and how trusted MCP servers are by design, this won’t be the last time.”
Developers are advised to use caution when installing Open VSX extensions, npm packages, and MCP servers. We also recommend checking the publisher name, package history, and not trusting download numbers blindly. Polish cybersecurity company AFINE has published an open-source Python tool called glassworm-hunter to scan developer systems for payloads related to the campaign.
Researchers Paweł Woyke and Sławomir Zakrzewski said that “Glassworm Hunters do not make any network requests during the scan.” “No telemetry. No home phone. No automatic update check. Reads only local files. Glassworm-hunter update is the only command that connects to the network. Gets the latest IoC database from GitHub and stores it locally.”
Source link
