On May 26, 2026, CrowdStrike, Google, and the Shadowserver Foundation simultaneously disabled four redundant command and control channels of the Glassworm botnet—including the Solana blockchain and BitTorrent DHT—to n... Glassworm's operators engineered a resilient C2 architecture spanning Solana, BitTorrent, Google...

Create a landscape editorial hero image for this Studio Global article: What happened during CrowdStrike's coordinated takedown of the "unkillable" Glassworm botnet, which had been targeting software developers s. Article summary: On May 26, 2026, at 14:00 UTC, CrowdStrike's Counter Adversary Operations team, working with Google and the Shadowserver Foundation, executed a coordinated takedown of the Glassworm botnet by simultaneously disrupting al. Topic tags: general, general web. Reference image context from search candidates: Reference image 1: visual subject "# CrowdStrike, Google, and Shadowserver dismantle "unkillable" Glassworm botnet targeting software developers. CrowdStrike, Google, and Shadowserver dismantle. In a coordinated tak" source context "CrowdStrike, Google, and Shadowserver dismantle "unkillable ..." Reference image 2: visual subject "Abstract image of robots working
The takedown of the Glassworm botnet on May 26, 2026, represents a landmark achievement in cybersecurity operations against threats targeting the software supply chain. CrowdStrike's Counter Adversary Operations team, in collaboration with Google and the non-profit Shadowserver Foundation, executed a meticulously planned, simultaneous disruption of a botnet architecture deliberately designed to be unkillable through conventional means .
Active since early 2025, Glassworm was not a typical botnet hunting for consumer devices. It specifically preyed on software developers, weaponizing the tools they trust. Attackers poisoned over 300 GitHub repositories, trojanized Visual Studio Code extensions, and compromised packages on both npm and Python's package indexes . This supply-chain approach gave the malware a presence across Windows, macOS, and Linux systems. The ultimate payload was GlasswormRAT, a Node.js remote access tool capable of harvesting credentials, recording keystrokes, and exfiltrating data, thereby turning a developer's machine into a launchpad for further downstream compromises
.
What made Glassworm uniquely resilient was its multi-channel command-and-control (C2) infrastructure. The operators deliberately avoided single points of failure by routing communications through four distinct, redundant channels .
This layered architecture was the core of the botnet's "unkillable" nature. Taking down one or two channels would leave the rest fully functional, allowing the operators to quickly reconstitute their control .
The only viable path to disruption was a simultaneous strike against all four C2 channels. CrowdStrike described the challenge plainly: "Disrupting this architecture required precision and timing. Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute" .
At 14:00 UTC on May 26, the coalition executed a precisely coordinated action that severed the connection between the botnet operators and their global network of infected machines . This did not automatically remove the GlasswormRAT malware from compromised endpoints, but it did block the operators' ability to issue new commands or deliver fresh malicious payloads
. The operation effectively neutered the botnet's offensive capability, even though the malware remains a latent threat on an unknown number of machines worldwide
.
CrowdStrike's intelligence assessment attributed the Glassworm operation to likely Russia-based cybercriminals . The group's focus on the open-source software supply chain represents a dangerous evolution in threat actor strategy, shifting from targeting end-user organizations to poisoning the very developers and tools that those organizations depend on.
The disruption is a critical defensive victory, but it is not a cure. CrowdStrike has recommended a concrete set of remediation steps for organizations to identify and cleanse any infected systems .
Studio Global AI
Use this topic as a starting point for a fresh source-backed answer, then compare citations before you share it.
On May 26, 2026, CrowdStrike, Google, and the Shadowserver Foundation simultaneously disabled four redundant command and control channels of the Glassworm botnet—including the Solana blockchain and BitTorrent DHT—to n...
On May 26, 2026, CrowdStrike, Google, and the Shadowserver Foundation simultaneously disabled four redundant command and control channels of the Glassworm botnet—including the Solana blockchain and BitTorrent DHT—to n... Glassworm's operators engineered a resilient C2 architecture spanning Solana, BitTorrent, Google Calendar, and VPS servers so that disabling any single channel would fail; the coalition had to strike all four simultan...
CrowdStrike advises organizations to scan for GlasswormRAT using their Falcon platform, check logs for connections to specific IP addresses, and fully rebuild infected workstations from known good images.