Advanced Malware Threat: GlassWorm Uses Solana Blockchain to Evade Detection

-


Security researchers have uncovered a new evolution of the GlassWorm malware campaign, introducing a highly sophisticated technique that leverages blockchain technology to hide its command-and-control (C2) infrastructure.

Unlike traditional malware, this variant uses the Solana blockchain as a “dead drop” mechanism to retrieve instructions and payloads, making detection and takedown significantly more difficult.

How the Attack Works

The attack chain is multi-stage and designed for maximum stealth and data exfiltration.

Initial access is typically gained through compromised developer ecosystems, including malicious packages distributed via platforms like npm, PyPI, GitHub, and extension marketplaces.

Once executed, the malware retrieves instructions from data embedded in Solana blockchain transactions, effectively hiding its infrastructure in a decentralized and immutable environment.

From there, it downloads system-specific payloads and begins the infection process.

Multi-Stage Payload and Capabilities

GlassWorm is not a simple malware, it is a full framework designed for deep system compromise.

Key capabilities include:

  • Deployment of a Remote Access Trojan (RAT) for persistent control
  • Installation of a malicious Chrome extension disguised as Google Docs offline
  • Keystroke logging and screenshot capture
  • Theft of cookies, session tokens, and browser data
  • Extraction of cryptocurrency wallet information

All collected data is packaged and exfiltrated to attacker-controlled infrastructure.

hy Blockchain Makes This Dangerous

The use of blockchain introduces a new level of resilience for attackers.

Traditional malware relies on centralized servers that can be blocked or taken down. In contrast, GlassWorm retrieves its instructions from the Solana blockchain, which:

  • Cannot be easily shut down or censored
  • Is publicly accessible yet difficult to monitor effectively
  • Allows attackers to update payload locations dynamically

This approach significantly complicates detection and response efforts for security teams.

Additional Evasion Techniques

The campaign also demonstrates a high level of operational maturity:

  • Avoids infecting systems configured with Russian locale
  • Uses multiple delivery vectors, including supply chain attacks
  • Continuously rotates infrastructure to evade detection

These characteristics indicate a well-resourced and adaptive threat actor.

Mitigation and Security Recommendations

Organizations and developers should take proactive measures to reduce risk:

  • Avoid installing unverified packages or extensions
  • Audit dependencies and monitor for suspicious updates
  • Restrict browser extension permissions
  • Monitor outbound traffic, including unusual blockchain-related requests
  • Implement endpoint detection and response (EDR) solutions

Given its stealth and persistence, early detection is critical.

Why This Matters

GlassWorm represents a shift in how malware operates moving away from traditional infrastructure to decentralized platforms.

This evolution signals a broader trend where attackers increasingly adopt innovative technologies to bypass conventional defenses. As a result, organizations must adapt their security strategies to address these emerging threats.

Resources

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more