GlassWorm Malware Exploits Solana Blockchain Dead Drops to Deploy RAT, Steal Browser and Cryptocurrency Data
By Ravie Lakshmanan, March 25, 2026
Cybersecurity researchers have uncovered a sophisticated new evolution of the GlassWorm malware campaign, which uses an innovative multi-stage attack framework to thoroughly steal data and install a remote access trojan (RAT) on infected machines. The malware notably employs Solana blockchain dead drops as a covert communication channel to deliver payloads and receive commands, targeting developer ecosystems and cryptocurrency users alike.
Advanced Data Theft and Remote Access Capabilities
The campaign, dubbed GlassWorm, begins by compromising developer environments via rogue packages published on popular repositories such as npm, PyPI, GitHub, and the Open VSX marketplace. Attackers additionally hijack maintainer accounts to push poisoned updates, increasing the reach of their malicious payloads.
According to Ilyas Makari, a security researcher at Aikido, the malware installs a Google Chrome extension disguised as an offline version of Google Docs. This extension logs keystrokes, captures screenshots, harvests browser cookies and session tokens, and can execute commands from a command-and-control (C2) server hidden within a memo field on the Solana blockchain.
GlassWorm’s operators are careful to avoid infection on systems using the Russian locale, likely as an anti-regionality technique, and utilize Solana blockchain transactions as dead drops to retrieve C2 server details (IP "45.32.150[.]251") and download OS-specific payloads.
Multi-stage Payloads Target Cryptocurrency Wallets and Browsers
The second stage payload is a data-theft framework designed to harvest credentials, steal cryptocurrency wallet secrets, and profile the infected system. Once collected, the data is compressed into a ZIP archive and exfiltrated to an external server hosted at "217.69.3[.]152/wall".
The framework also downloads further components, including:
-
A .NET binary that uses Windows Management Instrumentation (WMI) to detect USB device connections and initiates phishing attacks against hardware wallets like Ledger and Trezor by displaying fake recovery phrase input windows with 24 fields. These windows imitate genuine wallet error messages to trick victims into providing their recovery seeds, which are then sent to an attacker-controlled IP "45.150.34[.]158".
-
A WebSocket-based JavaScript RAT fetched via a public Google Calendar event URL serving as another dead drop. This RAT can steal browser data, execute arbitrary JavaScript code, and retrieve C2 instructions through a Distributed Hash Table (DHT) or fallback to the Solana dead drop mechanism.
RAT Features and Browser Extension Surveillance
The RAT supports a broad suite of commands, including:
- Launching and terminating Hidden Virtual Network Computing (HVNC) modules to enable stealthy remote desktop control.
- Starting and stopping WebRTC SOCKS proxy modules.
- Extracting browser data from major browsers like Google Chrome, Microsoft Edge, Brave, Opera, Opera GX, Vivaldi, and Mozilla Firefox. The RAT can bypass Chrome’s app-bound encryption (ABE) to access sensitive information.
- Collecting system information and executing arbitrary JavaScript supplied by the adversary.
In addition to the RAT, the malware force-installs a deceptive Chrome extension named "Google Docs Offline" on Windows and macOS. This extension actively communicates with the C2 server to perform extensive data theft, including cookies, localStorage data, the document object model (DOM) of active tabs, bookmarks, screenshots, keystrokes, clipboard contents, up to 5,000 entries of browser history, and installed extensions.
It also monitors specific websites for session tokens and device IDs, preconfigured to surveil Bybit (a cryptocurrency trading platform), and can trigger webhooks to leak authentication data. The attacker can push redirect rules to force victim browsers toward attacker-controlled URLs.
Expanding Attack Surface with MCP Ecosystem
Recently, GlassWorm operators have moved into the Model Context Protocol (MCP) ecosystem by publishing malicious npm packages impersonating the WaterCrawl MCP server ("@iflow-mcp/watercrawl-watercrawl-mcp"). This shift reflects the campaign’s adaptive strategy as AI-assisted development and associated trusted protocols grow in popularity.
Lotan Sery, a researcher at Koi Security, emphasized that MCP servers are inherently trusted in developer environments, making this new vector particularly concerning. He warns that GlassWorm is likely to continue expanding into this growing ecosystem.
Recommendations for Developers and Security Professionals
Developers and users are urged to exercise heightened caution when installing Open VSX extensions, npm packages, and MCP servers. Recommended best practices include verifying publisher identities, reviewing package histories, and avoiding reliance solely on download counts as trust indicators.
Polish cybersecurity firm AFINE has released an open-source Python tool named glassworm-hunter designed to scan local developer systems for GlassWorm-associated payloads. The tool operates fully offline during scans, sending no network requests except when manually updating its list of indicators of compromise (IoCs) from AFINE’s GitHub repository.
Conclusion
The discovery of GlassWorm’s use of blockchain dead drops and its sophisticated multi-stage infection chain underscores the evolving threat landscape targeting developers and cryptocurrency users. Its blend of supply chain attacks, remote access trojans, and hardware wallet phishing highlights the necessity of vigilant cyber hygiene and robust security measures across software development and crypto wallets.
For continuous updates on cybersecurity threats and expert insights, follow trusted platforms and security researchers.
Stay Informed: Follow us on Google News, Twitter, and LinkedIn for more cyber threat intelligence and breaking news.
Tags: browser security, cryptocurrency, cybersecurity, data theft, malware, remote access trojan, supply chain attack, threat intelligence