CYBERSECURITY researchers have flagged a new evolution of the GlassWorm campaign, showing a multi-stage framework that can steal data and install a remote access trojan (RAT), including an information‑stealing Google Chrome extension masquerading as an offline version of Google Docs. It logs keystrokes, dumps cookies and session tokens, captures screenshots, and communicates with a C2 server hidden in a Solana blockchain memo, according to Aikido security researcher Ilyas Makari.
The campaign obtains initial footholds via rogue packages across npm, PyPI, GitHub and the Open VSX marketplace, with operators also compromising project maintainers’ accounts to push poisoned updates. Attacks use Solana transactions as a dead drop resolver to fetch the C2 details and download OS‑specific payloads, with the stage two payload capable of credential harvesting, cryptocurrency wallet exfiltration and system profiling before exfiltrating a ZIP archive to 217.69.3[.]152/wall.
The RAT’s final payloads include a .NET binary that leverages Windows Management Instrumentation to detect USB devices and present a Ledger or Trezor phishing window, and a Websocket‑based JavaScript RAT to siphon browser data and run commands, fetched from 45.32.150[.]251 using a public Google Calendar event URL as a dead drop resolver.