Cybersecurity researchers have uncovered a sophisticated malware campaign dubbed GlassWorm, which delivers a multi-stage attack framework designed to steal credentials, exfiltrate cryptocurrency data, and install a remote access trojan (RAT) disguised as a Google Docs Offline extension.
Multi-Stage Attack Mechanism
According to Aikido Security, GlassWorm begins by infiltrating systems through compromised packages across npm, PyPI, GitHub, and Open VSX marketplaces. Operators have also been observed taking over developer accounts to push malicious updates. The malware avoids infecting systems set to Russian locales and leverages Solana blockchain transactions as dead drops to fetch command-and-control (C2) servers, such as 45.32.150[.]251, and OS-specific payloads.
Stage Two: Data Theft and Credential Harvesting
The second stage of the attack is a robust data-theft framework. It harvests passwords, cryptocurrency wallets, and system profiling information. Collected data is compressed into a ZIP archive and exfiltrated to servers like 217.69.3[.]152/wall. This stage also facilitates fetching and executing the final payload components.
Hardware Wallet Phishing
The malware deploys a .NET binary to target hardware wallets such as Ledger and Trezor. Using Windows Management Instrumentation (WMI), it detects USB connections and triggers a phishing interface mimicking the wallet software. Victims are prompted to enter their 24-word recovery phrases into fake error windows, which are then exfiltrated to 45.150.34[.]158.
Remote Access Trojan Features
The RAT component communicates via a Distributed Hash Table (DHT) or Solana dead drop to retrieve C2 details. Once active, it can:
- Deploy Hidden Virtual Network Computing (HVNC) modules for remote desktop access.
- Launch WebRTC-based SOCKS proxies.
- Exfiltrate web browser data from Chrome, Edge, Firefox, Brave, Opera, Opera GX, Vivaldi, including cookies, bookmarks, history, keystrokes, clipboard data, and installed extensions.
- Execute attacker-supplied JavaScript code.
The malware also force-installs a malicious Google Chrome extension named Google Docs Offline, which monitors user activity, captures (DOM) trees, screenshots, and browser sessions, and specifically targets cryptocurrency exchange sessions, such as Bybit accounts, to steal secure tokens and device IDs.
Emerging Attack Vectors
GlassWorm operators have recently expanded into the WaterCrawl MCP ecosystem, publishing npm packages impersonating official MCP servers to distribute payloads, indicating the campaign is rapidly evolving alongside AI-assisted development tools.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
