GlassWorm Malware Uses Solana Dead Drops for Stealthy C2 Delivery

Technical Analysis of the GlassWorm Infection Chain

The GlassWorm campaign has transitioned into a sophisticated multi-stage framework that leverages blockchain technology to bypass traditional security perimeters. According to The Hacker News, the malware utilizes the Solana blockchain as a ‘dead drop’ mechanism to retrieve C2 server addresses. By embedding infrastructure details within transaction metadata, the APT or threat actor behind GlassWorm ensures that static IoC lists are quickly outdated, making detection significantly harder for a SOC.

Once the initial infection occurs—often through Phishing or social engineering—the malware fetches the latest C2 configuration from the blockchain. This leads to the deployment of a RAT (Remote Access Trojan) which provides the attacker with full control over the compromised host. This multi-stage approach allows the malware to verify the environment before deploying its more aggressive payloads, such as the GlassWorm multi-stage framework that handles secondary data exfiltration.

Malicious Chrome Extension and Information Theft

A notable component of this campaign is the deployment of an information-stealing Google Chrome extension. This extension is designed to function as a Google Chrome extension masquerading as an offline version of Google Docs, a tactic intended to lower user suspicion. Once installed, the extension gains deep access to the user’s browsing activity. In reality, the extension performs extensive data exfiltration. It is capable of logging keystrokes, dumping browser cookies and session tokens, and capturing screenshots of the user’s desktop.

For organizations, the primary risk involves the theft of session tokens, which allows attackers to bypass multi-factor authentication (MFA) and achieve Lateral Movement within the corporate network. The malware specifically targets cryptocurrency wallet data, suggesting a financial motivation or a focus on decentralized finance (DeFi) users who rely on browser-based extensions for asset management.

How to Detect GlassWorm Solana Dead Drop Activity

Detecting this threat requires looking beyond traditional file-based signatures. Security teams should focus on identifying anomalous network requests to blockchain explorer APIs or direct connections to the Solana network that do not align with legitimate business processes. Because the C2 instructions are hosted on a legitimate public ledger, blocking the domain itself is often not feasible without disrupting legitimate services.

Implementing EDR solutions to monitor for unauthorized browser extension sideloading is critical. Since the GlassWorm framework uses a multi-stage approach, monitoring for PowerShell or CMD processes spawning from browser-related parent processes can help identify the initial stages of the infection. Analysts should also search for specific TTP patterns, such as scripts that parse blockchain transaction logs or frequent requests to known Solana RPC nodes.

Mitigation Strategies and Defense

Defenders should prioritise hardening browser environments to prevent the installation of unverified extensions. Adopting a Zero Trust architecture can limit the impact of credential theft by requiring continuous verification even after a session is established.

• Extension Whitelisting: Use Group Policy Objects (GPO) to restrict Chrome extension installations to a pre-approved list, preventing users from sideloading the fake Google Docs extension.
• Blockchain Traffic Monitoring: Set up SIEM alerts for unusual traffic patterns involving Solana or other blockchain protocols from non-developer workstations.
• Credential Hygiene: Encourage the use of hardware security keys which are resilient to the session token theft techniques used by GlassWorm.

The use of blockchain for infrastructure persistence demonstrates the increasing complexity of modern Malware operations. By hiding instructions in plain sight on a public ledger, attackers can maintain a resilient infrastructure that evades traditional DNS-based filtering.