GlassWorm Wave 3: The Supply Chain Worm Goes Cross-Platform -- A macOS Chrome RAT, a Windows ABE Bypass, and a Blockchain Dead-Drop
TL;DR
GlassWorm is no longer a Windows-only, developer-only problem. Two new components recovered from the campaign's third wave reveal a macOS Chrome extension sideloader that installs a full-featured RAT disguised as "Google Docs Offline" and a Windows DLL that defeats Chrome 127+'s App-Bound Encryption to extract master decryption keys from six Chromium browsers. The macOS component -- internally called "RedExt Agent" -- targets Bybit cryptocurrency exchange sessions specifically, exfiltrating cookies, keystrokes, clipboard data, screenshots, and DOM snapshots. Both components retrieve their C2 configuration from a Solana blockchain wallet via transaction memo fields, making infrastructure takedown effectively impossible. The threat actor behind GlassWorm has expanded from poisoning developer supply chains to building a cross-platform credential theft operation targeting cryptocurrency users -- and the Solana dead-drop technique means there is no domain to seize, no IP to null-route, and no hosting provider to send an abuse report to.
Background: What We Already Know
In our previous GlassWorm analysis, published March 16, 2026, Breakglass Intelligence documented a supply chain campaign that had compromised at least 12 VS Code extensions on the Microsoft Visual Studio Marketplace -- nine of which remained live at the time of publication. The campaign delivered a Rust-compiled, fileless PE loader (generate.dll) that used the memexec crate to execute arbitrary Windows binaries entirely in memory via direct NT API calls (NtAllocateVirtualMemory, NtProtectVirtualMemory), bypassing EDR hooks. C2 communication abused trusted services: Solana blockchain RPC endpoints and Google Calendar API. The worm component weaponized stolen developer credentials to inject malicious code into victims' own repositories and npm packages, turning each infection into a new distribution node.
That was Wave 1 -- the developer supply chain beachhead.
Wave 3 shows what the beachhead was for.
The two components analyzed here are not developer tools. They are not disguised as VS Code extensions or npm packages. They are purpose-built weapons for stealing cryptocurrency -- a macOS RAT that hijacks Chrome to target Bybit exchange sessions, and a Windows DLL that cracks open every Chromium browser's encrypted credential store. The attack surface has expanded from "developers who install VS Code extensions" to "anyone with a Chromium browser and a crypto exchange account."
The GlassWorm operator is no longer just building a supply chain. They are using it.
macOS Sideloader: RedExt Agent
Sample Metadata
| Field | Value |
|---|---|
| SHA256 | ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6 |
| File Type | Mach-O Universal Binary (x86_64 + arm64) |
| File Size | 2.73 MB |
| Compiler | Rust (universal binary, both architectures) |
| Purpose | Chrome extension sideloader + Secure Preferences manipulator |
| Internal Name | "RedExt Agent" |
This is a Rust-compiled universal Mach-O binary targeting both Intel and Apple Silicon Macs. At 2.73 MB, it is substantially larger than the Wave 1 PE loader (175 KB), because it carries the entire Chrome extension payload and the Secure Preferences manipulation logic inline rather than downloading them from C2.
What It Does
The sideloader installs a malicious Chrome extension by manipulating Chrome's Secure Preferences file -- the integrity-protected JSON configuration that tracks installed extensions, their permissions, and content scripts. The extension masquerades as "Google Docs Offline" version 1.95.1, a legitimate Google extension many users already have.
The critical bypass is recalculating Chrome's HMAC-SHA super_mac after injecting the extension entry. Chrome uses this integrity hash to detect unauthorized preference modifications. If the super_mac does not match, Chrome resets preferences and removes unauthorized extensions on next launch. The GlassWorm sideloader computes the correct HMAC after injection, so Chrome accepts the modification as legitimate. On next launch, the extension activates with full permissions, appearing as a Google first-party extension.
The Extension: A Full Browser RAT
The sideloaded extension -- internally identified as "RedExt Agent" in its source -- is not a simple cookie stealer. It is a comprehensive browser RAT with the following capabilities:
| Capability | Detail |
|---|---|
| Keylogging | Captures all keystrokes within Chrome, including form inputs, search queries, and password fields |
| Clipboard monitoring | Reads clipboard contents on change events -- captures copied passwords, seed phrases, addresses |
| Cookie exfiltration | Steals all cookies, with priority extraction for authentication and session cookies |
| Screenshot capture | Takes periodic screenshots of the active tab via Chrome's chrome.tabs.captureVisibleTab API |
| DOM snapshots | Captures full DOM state of targeted pages -- not just what's visible, but the complete document structure including hidden elements, form values, and JavaScript state |
| Browsing history | Exfiltrates complete browsing history via chrome.history API |
| Bookmarks | Dumps full bookmark tree via chrome.bookmarks API |
| System fingerprinting | Collects OS version, Chrome version, installed extensions, screen resolution, timezone, language, and hardware concurrency for victim identification |
Bybit Targeting
The extension contains hardcoded targeting logic for Bybit.com, one of the largest cryptocurrency exchanges by trading volume. When the extension detects that the user is on a Bybit domain, it escalates its collection:
- Session cookie priority extraction -- Bybit authentication cookies are flagged for immediate exfiltration rather than batched with routine collection cycles
- DOM snapshots on Bybit pages -- captures account balances, open positions, order history, and wallet addresses from the rendered page
- Keylogging intensification -- all keystrokes on Bybit pages are logged with full context (URL, timestamp, input field identifier)
This is not speculative targeting. The Bybit domain checks are hardcoded strings in the extension's JavaScript. The operator built this component specifically to steal cryptocurrency exchange sessions.
Infection Chain
[1] Delivery via GlassWorm supply chain (compromised npm/VS Code extension)
|
v
[2] Rust universal binary executes on macOS (x86_64 or arm64)
|
v
[3] Queries Solana wallet DSRUBTzi... for C2 config (11 RPC endpoints)
|
v
[4] Reads Chrome Secure Preferences, injects "Google Docs Offline" v1.95.1
Recalculates HMAC-SHA super_mac -> Chrome accepts modification
|
v
[5] Chrome launches -> RedExt Agent activates with full permissions
Keylogging | Clipboard | Cookies | Screenshots | DOM | History
|
v
[6] Bybit.com targeting: priority session cookie theft, DOM snapshots
of balances/positions, keystroke capture of 2FA and withdrawal addresses
|
v
[7] Exfiltration to Solana-resolved C2 (Vultr VPS, AS20473, France)
OPSEC Failure: macOS Build Path
The Rust debug symbols in the universal binary contain the macOS build username:
/Users/davidioasd/...
This is a significant OPSEC failure. The Wave 1 PE loader was built under C:\Users\Administrator\ -- a generic, sanitized Windows build environment. The Wave 3 macOS component was built under a personal username: davidioasd. This is either the threat actor's personal machine or a build environment where they forgot to sanitize the username. Either way, it is a fingerprint.
The shift from Administrator (Windows) to davidioasd (macOS) also tells us something about the operation: the actor either has a multi-platform development setup, or the macOS component was built by a different member of the group. The username pattern -- a name ("david") followed by seemingly random characters ("ioasd") -- is consistent with a real first name combined with keyboard mashing for a disposable account, which leans toward a personal mistake rather than an intentional alias.
Windows Chrome ABE Bypass DLL
Sample Metadata
| Field | Value |
|---|---|
| SHA256 | 43253a888417dfab034f781527e08fb58e929096cb4ef69456c3e13550cb4e9e |
| File Type | PE32+ DLL (x86-64) |
| File Size | 40 KB |
| Compile Time | 2026-01-29 (PE timestamp) |
| Purpose | Master key extractor for 6 Chromium browsers |
| Network | None -- feeds keys to parent process via file handle |
At 40 KB, this is a surgical tool. No C2 communication. No persistence. No lateral movement. It does exactly one thing: extract the master decryption keys that Chromium browsers use to encrypt saved passwords, cookies, autofill data, and payment information. It does this for six browsers simultaneously, and it defeats Chrome's newest protection -- App-Bound Encryption -- in the process.
What It Does
Chromium browsers encrypt saved passwords, cookies, and payment data using a master key in the Local State file, which is itself encrypted via DPAPI. Chrome 127+ added App-Bound Encryption (ABE) -- a second layer that binds the key to Chrome's application identity via a COM elevation service, blocking decryption by other applications even under the same user. The GlassWorm DLL defeats both layers.
Dual-Path Decryption
Path 1 -- DPAPI (V10 keys): For older key versions, CryptUnprotectData decrypts the master key using the current user's DPAPI context. Standard infostealer technique.
Path 2 -- COM Elevation (V20 keys, Chrome 127+): For ABE-protected keys, the DLL instantiates Chrome's IElevator COM interface and calls IElevator::DecryptData -- asking Chrome's own elevation service to decrypt the key. This is not a vulnerability in the traditional sense. The COM interface exists because Chrome needs it. The DLL calls it from outside Chrome's process, which ABE was designed to prevent but which COM's architecture makes difficult to fully enforce.
Target Browsers
| Browser | DPAPI (V10) | COM ABE Bypass (V20) | COM CLSID |
|---|---|---|---|
| Google Chrome | Yes | Yes | Decoded at runtime |
| Microsoft Edge | Yes | Yes | Decoded at runtime |
| Brave | Yes | N/A (no ABE) | -- |
| Opera | Yes | N/A | -- |
| Opera GX | Yes | N/A | -- |
| Vivaldi | Yes | N/A | -- |
Chrome and Edge both implement App-Bound Encryption and require the COM elevation bypass. The other four browsers still use DPAPI-only encryption and are vulnerable to the simpler decryption path.
String Obfuscation: Rolling XOR
Every string -- browser names, file paths, COM CLSIDs, API names -- is XOR-encoded with a rolling algorithm (key family 0x855fe8xx / 0x855feaxx). No plaintext is visible in the binary. Decoded strings include all six browser Local State paths and the COM CLSIDs for Chrome's IElevator and Edge's elevation service, decoded only at the moment of COM instantiation.
Handle Stealing: Reading Locked Files
Chromium keeps Local State locked while running. The DLL bypasses this by calling NtQuerySystemInformation(SystemHandleInformation) to enumerate all open file handles system-wide, identifying those held by browser processes, then DuplicateHandle to copy them into its own process. This lets it extract keys from running browsers without the user closing anything.
No Network Stack
The DLL has zero network capability. It writes decrypted master keys to a pre-set file handle inherited from its parent process -- likely the Wave 1 Rust PE loader, which handles C2 communication. This modular design means the DLL can be updated independently, and if recovered from disk or memory, it contains no network IOCs whatsoever.
Infection Chain
[1] GlassWorm Rust PE loader (Wave 1) delivers ABE bypass DLL in-memory
Receives output file handle from parent loader
|
v
[2] DLL decodes all strings at runtime (rolling XOR, key family 0x855fe8xx)
|
v
[3] Handle stealing: NtQuerySystemInformation -> DuplicateHandle
Reads locked Local State files from running browsers
|
v
[4] Dual-path master key extraction:
| |
v v
[V10 keys: DPAPI] [V20 keys: COM Elevation]
CryptUnprotectData IElevator::DecryptData
Chrome, Edge, Brave, Chrome 127+, Edge
Opera, Opera GX, Vivaldi
| |
+----------------+------------------+
|
v
[5] Master keys written to parent's file handle (no network from DLL)
|
v
[6] Parent decrypts: passwords, cookies, credit cards, autofill
Exfiltration via Solana-resolved C2
The Solana Dead-Drop: Blockchain as C2 Infrastructure
The most operationally significant innovation in GlassWorm Wave 3 is the Solana blockchain dead-drop for C2 resolution. Both the macOS sideloader and the Windows parent loader use the same mechanism, and it renders traditional C2 takedown procedures ineffective.
How It Works
The actor controls Solana wallet DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW. To update C2 infrastructure, they send a transaction with the new config in the memo field:
{"c2server": "http://[IP]:5000", "checkIp": "http://[IP]"}
The malware reads the most recent memo via Solana RPC queries. The wallet is publicly readable but only writable by the private key holder -- a one-to-many broadcast channel where the operator publishes C2 addresses and all infected machines read them.
Why Takedown Is Nearly Impossible
The malware cycles through 11 different Solana RPC providers (public mainnet-beta, Helius, QuickNode, Alchemy, and others). Blocking all of them would require blocking all Solana RPC traffic, which breaks legitimate Web3 applications. But even if you could, consider the five traditional C2 takedown methods and why each fails:
- Domain seizure -- There is no domain. The C2 address lives on a blockchain.
- IP null-routing -- The operator writes a new memo transaction with a new IP. Cost: ~$0.00025. Every infected machine switches over automatically.
- Hosting abuse report -- Vultr will likely act. The operator spins up a new VPS, sends one transaction, and is back online in minutes.
- Blockchain censorship -- Solana validators do not censor memo content. No mechanism exists to prevent C2 address publication.
- Wallet blacklisting -- Requires a malware update to change wallets, but the worm propagation mechanism provides that update channel.
The only reliable mitigation is endpoint detection -- catch the malware before it queries the blockchain, or detect behavioral patterns regardless of where the C2 address points.
Current C2 Infrastructure
| Component | Value | Status |
|---|---|---|
| Solana Wallet | DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW | Active (blockchain -- permanent) |
| C2 Server | Vultr VPS, AS20473 | Active at time of analysis |
| C2 Location | Aubervilliers, France | -- |
| C2 Port | 5000 (HTTP) | -- |
| IP Check Endpoint | Separate endpoint on same infrastructure | Active at time of analysis |
Attribution and OPSEC
What We Know
| Factor | Wave 1 (VS Code Loader) | Wave 3 (macOS + Windows) | Assessment |
|---|---|---|---|
| Language | Rust | Rust (macOS), C/C++ (Windows DLL) | Multi-language capability |
| Build User | Administrator (Windows) | davidioasd (macOS) | Different build environments |
| Target | Developers (supply chain) | Crypto users (financial) | Expanding target set |
| C2 Channel | Solana RPC + Google Calendar | Solana RPC (dead-drop wallet) | Consistent Solana use |
| Hosting | Unknown (no hardcoded C2 in loader) | Vultr AS20473, France | First confirmed C2 hosting |
| Compile Date | 2025-11-19 (loader) | 2026-01-29 (Windows DLL) | Active development over 2+ months |
The "davidioasd" Fingerprint
The macOS build path /Users/davidioasd/ is the most significant OPSEC failure in Wave 3. Wave 1 was built under C:\Users\Administrator\ -- a sanitized environment. Wave 3's macOS component was built under a personalized username, suggesting either a different developer or a less disciplined build process for the macOS toolchain.
The structure -- "david" + "ioasd" -- looks like a real first name combined with keyboard mashing for a throwaway account. "David" does not narrow geography, but it is a concrete correlation point. If this username appears in any other sample, repo, forum, or service registration, it links directly to this campaign.
Attribution Assessment
| Dimension | Assessment | Confidence |
|---|---|---|
| Actor Type | Organized cybercrime group (2+ members) | HIGH |
| Motivation | Financial -- cryptocurrency theft | HIGH |
| Capability | Cross-platform development (Rust, C/C++), browser internals expertise, blockchain integration | HIGH |
| Sophistication | Above average -- Solana dead-drop, Chrome ABE bypass, HMAC recalculation, handle stealing | HIGH |
| Attribution | Unattributed -- "davidioasd" is the strongest lead | LOW |
| Country | Unknown -- no definitive language artifacts | LOW |
IOCs
File Indicators
macOS Sideloader (RedExt Agent):
SHA256: ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6
Type: Mach-O Universal Binary (x86_64 + arm64)
Size: 2.73 MB
Note: Rust-compiled Chrome extension sideloader
Windows ABE Bypass DLL:
SHA256: 43253a888417dfab034f781527e08fb58e929096cb4ef69456c3e13550cb4e9e
Type: PE32+ DLL (x86-64)
Size: 40 KB
Note: Chromium master key extractor, compiled 2026-01-29
Wave 1 PE Loader (previously reported):
SHA256: de81eacd045a88598f16680ce01bf99837b1d8170c7fc38a18747ef10e930776
Type: PE32+ DLL (x86-64)
Size: 175,616 bytes
Note: Rust/Neon memexec reflective PE loader
Network Indicators
C2 Infrastructure:
Solana Wallet: DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW
C2 Protocol: HTTP on port 5000
C2 Hosting: Vultr VPS, AS20473 (Aubervilliers, France)
C2 Config: {"c2server": "hxxp://[IP]:5000", "checkIp": "hxxp://[IP]"}
Solana RPC Endpoints (used for dead-drop resolution):
api[.]mainnet-beta[.]solana[.]com
mainnet[.]helius-rpc[.]com
+ 9 additional commercial/community RPC endpoints
Behavioral Indicators -- macOS
File Access:
~/Library/Application Support/Google/Chrome/Default/Secure Preferences
~/Library/Application Support/Google/Chrome/Default/Extensions/
Chrome Extension:
Name: "Google Docs Offline"
Version: 1.95.1
Internal: "RedExt Agent"
Capabilities: keylogging, clipboard, cookies, screenshots, DOM snapshots,
history, bookmarks, system fingerprinting
Build Artifact:
macOS Username: davidioasd (from Rust debug symbols)
Behavioral Indicators -- Windows
APIs:
NtQuerySystemInformation (SystemHandleInformation) -- handle enumeration
DuplicateHandle -- handle stealing for locked files
CryptUnprotectData -- DPAPI key decryption
CoCreateInstance (IElevator CLSID) -- Chrome ABE bypass
XOR Key Family: 0x855fe8xx / 0x855feaxx (rolling, per-string)
File Access:
%LOCALAPPDATA%\Google\Chrome\User Data\Local State
%LOCALAPPDATA%\Microsoft\Edge\User Data\Local State
%LOCALAPPDATA%\BraveSoftware\Brave-Browser\User Data\Local State
%APPDATA%\Opera Software\Opera Stable\Local State
%APPDATA%\Opera Software\Opera GX Stable\Local State
%LOCALAPPDATA%\Vivaldi\User Data\Local State
VS Code Extension IOCs (Wave 1 -- still active as of 2026-03-16)
codejoy.codejoy-vscode-extension l-igh-t.vscode-theme-seti-folder
kleinesfilmroellchen.serenity-dsl-syntaxhighlight JScearcy.rust-doc-viewer
SIRILMP.dark-theme-sm CodeInKlingon.git-worktree-menu
ginfuru.better-nunjucks jeronimoekerdt.color-picker-universal
srcery-colors.srcery-colors
MITRE ATT&CK Mapping
| ID | Technique | Component | Application |
|---|---|---|---|
| T1176 | Browser Extensions | macOS | Sideloads malicious Chrome extension |
| T1036.005 | Masquerading: Match Legitimate Name | macOS | Impersonates "Google Docs Offline" |
| T1553 | Subvert Trust Controls | macOS | Recalculates Chrome HMAC-SHA super_mac |
| T1539 | Steal Web Session Cookie | macOS | Priority extraction of Bybit session cookies |
| T1056.001 | Input Capture: Keylogging | macOS | All keystrokes within Chrome |
| T1115 | Clipboard Data | macOS | Captures copied crypto addresses, seed phrases |
| T1113 | Screen Capture | macOS | Tab screenshots via Chrome API |
| T1102.002 | Web Service: Bidirectional Communication | Both | C2 via Solana blockchain dead-drop |
| T1555.003 | Credentials from Web Browsers | Windows | Master key extraction for 6 Chromium browsers |
| T1212 | Exploitation for Credential Access | Windows | COM elevation to bypass App-Bound Encryption |
| T1134 | Access Token Manipulation | Windows | DuplicateHandle for locked file access |
| T1027 | Obfuscated Files or Information | Windows | Rolling XOR string encoding |
| T1057 | Process Discovery | Windows | NtQuerySystemInformation handle enumeration |
| T1041 | Exfiltration Over C2 Channel | Both | Stolen data to Solana-resolved C2 |
Detection Guidance
YARA Rules
rule GlassWorm_Wave3_macOS_RedExtAgent {
meta:
author = "GHOST - Breakglass Intelligence"
date = "2026-03-17"
description = "GlassWorm Wave 3 macOS Chrome extension sideloader (RedExt Agent)"
hash = "ee3e4dd5c1e073b8805f4107ccc7bc7e6e3c209fe13ea04ff3f2173c8dbe74a6"
tlp = "WHITE"
reference = "https://intel.breakglass.tech"
strings:
$s1 = "RedExt Agent" ascii wide
$s2 = "Google Docs Offline" ascii wide
$s3 = "Secure Preferences" ascii wide
$s4 = "super_mac" ascii wide
$s5 = "DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW" ascii
$s6 = "mainnet-beta" ascii
$s7 = "bybit.com" ascii wide
$s8 = "davidioasd" ascii
condition:
(uint32(0) == 0xBEBAFECA or uint32(0) == 0xFEEDFACF or uint32(0) == 0xFEEDFACE) and
filesize < 5MB and (3 of them)
}
rule GlassWorm_Wave3_ABE_Bypass_DLL {
meta:
author = "GHOST - Breakglass Intelligence"
date = "2026-03-17"
description = "GlassWorm Wave 3 Windows Chromium ABE bypass DLL"
hash = "43253a888417dfab034f781527e08fb58e929096cb4ef69456c3e13550cb4e9e"
tlp = "WHITE"
reference = "https://intel.breakglass.tech"
strings:
$api1 = "NtQuerySystemInformation" ascii
$api2 = "DuplicateHandle" ascii
$api3 = "CryptUnprotectData" ascii
$api4 = "CoCreateInstance" ascii
$b1 = "Chrome" ascii wide
$b2 = "Edge" ascii wide
$b3 = "Brave" ascii wide
$b4 = "Opera" ascii wide
$b5 = "Vivaldi" ascii wide
condition:
uint16(0) == 0x5A4D and filesize < 100KB and
$api1 and $api2 and ($api3 or $api4) and 3 of ($b*)
}
rule GlassWorm_Solana_DeadDrop {
meta:
author = "GHOST - Breakglass Intelligence"
date = "2026-03-17"
description = "GlassWorm Solana blockchain dead-drop C2 resolution"
tlp = "WHITE"
reference = "https://intel.breakglass.tech"
strings:
$wallet = "DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW" ascii wide
$c1 = "c2server" ascii wide
$c2 = "checkIp" ascii wide
$r1 = "mainnet-beta" ascii wide
$r2 = "helius-rpc" ascii wide
$r3 = "getTransaction" ascii wide
condition:
$wallet or (1 of ($c*) and 2 of ($r*))
}
Suricata Rules
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BGI - GlassWorm Wave 3 C2 Beacon to Port 5000";
flow:established,to_server;
content:"POST"; http_method;
content:":5000"; http_host;
metadata:created_at 2026_03_17, updated_at 2026_03_17;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000201; rev:1;
)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BGI - GlassWorm Solana Dead-Drop RPC Query";
flow:established,to_server;
content:"getTransaction"; http_client_body;
content:"DSRUBTziADDH"; http_client_body;
metadata:created_at 2026_03_17, updated_at 2026_03_17;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000202; rev:1;
)
alert http $HOME_NET any -> $EXTERNAL_NET any (
msg:"BGI - Possible GlassWorm Solana C2 Resolution via Helius RPC";
flow:established,to_server;
content:"helius-rpc.com"; http_host;
content:"getTransaction"; http_client_body;
metadata:created_at 2026_03_17, updated_at 2026_03_17;
reference:url,intel.breakglass.tech;
classtype:trojan-activity;
sid:9000203; rev:1;
)
Endpoint Detection Logic
macOS -- highest-fidelity signals:
- Any process modifying Chrome's
Secure Preferencesfile outside of the Chrome application bundle - New Chrome extension directories created by non-Chrome processes
- Any Chrome extension claiming to be "Google Docs Offline" with version 1.95.1 that is not installed from the Chrome Web Store
Windows -- highest-fidelity signals:
- Any non-browser process calling
NtQuerySystemInformationwithSystemHandleInformationclass followed byDuplicateHandletargeting browser process handles - Non-browser processes instantiating Chrome's
IElevatorCOM interface - Any process reading
Local Statefiles for multiple browsers in rapid succession - DLLs under 100 KB that import both
NtQuerySystemInformationandCryptUnprotectData
What This Means
GlassWorm Is a Full-Spectrum Operation
Wave 1 was the beachhead: compromise developers through VS Code extensions and npm packages, steal their credentials, use their publishing rights to spread the worm, and deploy a fileless PE loader for arbitrary payload execution.
Wave 3 is the weaponization: use the established foothold to deploy cross-platform tools purpose-built for cryptocurrency theft. A macOS RAT that hijacks Chrome to target exchange sessions. A Windows DLL that cracks open every major Chromium browser's encrypted credential store. Both coordinated through a blockchain C2 channel that is effectively immune to takedown.
This is not two separate campaigns. It is one operation with a clear strategic arc:
[Wave 1] Compromise developer supply chain
|
v
[Wave 2] Propagate via stolen credentials (worm)
|
v
[Wave 3] Deploy cross-platform crypto theft tools
|
v
[Wave 4] ? (Likely: expanded targeting beyond Bybit,
additional browser/wallet capabilities,
potential ransomware deployment via
established access)
The Blockchain C2 Problem Is Here
GlassWorm is not the first malware to use blockchain for C2 -- Glupteba used Bitcoin, SalatStealer used TON. But GlassWorm's implementation is the most operationally mature we have seen: a specific wallet, a JSON config schema in memo fields, and 11 redundant RPC endpoints creating a channel that is free (~$0.00025/rotation), permanent, uncensorable, instantly rotatable, and indistinguishable from legitimate DeFi traffic.
Domain-based and IP-based blocking is insufficient. Detection must happen at the endpoint.
What Defenders Should Do Now
Immediate: Check all workstations for the nine live VS Code extensions. On macOS, search for a Chrome extension named "Google Docs Offline" v1.95.1 not installed from the Web Store. On Windows, deploy the ABE bypass YARA rule. Block the Solana wallet address at the content inspection layer if your stack supports deep packet inspection.
Short-term: Rotate all saved passwords and cookies in Chrome, Edge, Brave, Opera, Opera GX, and Vivaldi on any machine with GlassWorm indicators. Force-reset Bybit sessions and enable hardware 2FA for all crypto exchange accounts. Audit Chrome extensions enterprise-wide against Web Store provenance.
Medium-term: Implement Chrome extension allowlisting via enterprise policy. Monitor for new samples containing davidioasd or the Solana wallet. Establish behavioral detection for Secure Preferences modification by non-Chrome processes. Report the nine live VS Code extensions to Microsoft.
If You Are the Threat Actor
You left davidioasd in the binary. The crates.io hash 1949cf8c6b5b557f clusters your entire build environment. The Solana wallet is now monitored by multiple threat intelligence organizations. Every transaction you send is logged. The Vultr VPS in Aubervilliers has been reported. We are following every mistake.
Timeline
| Date | Event |
|---|---|
| October 2025 | GlassWorm Wave 1 begins: 12+ VS Code extensions compromised |
| 2025-10-27 | Community detection (ConbroIT Security, Munich) |
| 2025-11-19 | Wave 1 PE loader compiled (generate.dll, Administrator) |
| 2025-12-08 | Community scanner glassworm-scanner published |
| 2026-01-29 | Wave 3 Windows ABE bypass DLL compiled |
| 2026-03-16 | Breakglass publishes Wave 1 analysis; 9/12 extensions still live |
| 2026-03-17 | Breakglass Wave 3 analysis (this report): cross-platform expansion |
References
- Breakglass Intelligence: GlassWorm -- 9 Infected VS Code Extensions Are Still Live (Wave 1 analysis, 2026-03-16)
- GitHub:
natorus87/vscode-extension-cleanup-glassworm-- Extension list, cleanup scripts - GitHub:
cahyod/glassworm-scanner-- Detection signatures, C2 pattern identification - Google: Chrome App-Bound Encryption (July 2024)
- Solana Documentation: Transaction Memo Program
- ConbroIT Security (Munich, Germany) -- Original community detection and response
Analysis by GHOST -- Breakglass Intelligence Published: 2026-03-17 TLP:WHITE -- Unrestricted distribution