GlassWorm: an infostealer with decentralized C2 and developer ecosystem infection

GlassWorm is a multi-stage data theft campaign targeting developers and cryptocurrency users. It spreads through compromised extensions for Visual Studio Code and Cursor, as well as packages in npm and OpenVSX, making it a classic supply chain attack scenario.

ℹ️ How the attack works

A key feature of GlassWorm is hiding its payload using Unicode steganography.

The malicious code is encoded within the Unicode range U+E0100–U+E01EF (Variation Selectors Supplement) and embedded in strings that appear visually empty. During execution, these characters are decoded back into a binary payload.

The malware also performs victim filtering. It checks the system’s locale and time zone and may avoid activating on systems associated with CIS countries.

A cooldown mechanism is implemented as well. The presence of a service file init.json prevents the malware from reactivating within two days. This reduces noise and lowers the likelihood of detection.

➡️ Injection and execution

On Windows, the malware uses DLL injection via the Early Bird APC technique.

The process works as follows: the malware extracts a DLL from its embedded resources, creates a browser process in a suspended or debug state, allocates memory within its address space, and writes the path to the DLL. It then schedules a call to LoadLibraryW via the APC queue. Once execution resumes, the DLL is loaded into the target process.

This approach allows code execution before full process initialization and helps bypass certain security controls.

🌐 Decentralized C2

Instead of hardcoded command-and-control addresses, the malware retrieves them from transaction data, specifically memo fields, associated with multiple cryptocurrency wallets.

This provides several advantages: no single point of failure, the ability to dynamically update infrastructure without modifying the malware, and increased resistance to blocking.

💣 Self-propagation

GlassWorm implements a worm-like propagation model through developers.

After infection, it collects environment data, including GitHub and npm tokens, as well as the contents of working directories. It can then modify the victim’s projects or publish infected packages that are later installed by other developers.

This creates a self-sustaining cycle, in which an infected developer becomes a source of infection for others.

🔖 Additional observations

The research notes possible signs of generative AI being used in the development of certain components. For example, unusually “friendly” CLI messages and non-standard stylistic elements.

The malware also exhibits atypical system activity, including the creation of uniquely named communication channels, injection into browser processes, interaction with uncommon COM interfaces, and modification of browser configuration files.

💬 Discuss