GlassWorm is a sophisticated multi-stage threat framework distributed through compromised npm packages. What sets it apart is Stage 3b: the attacker force-installs a malicious Chrome extension masquerading as "Google Docs Offline" (v1.95.1), giving them persistent, stealthy access to everything the browser touches — including cryptocurrency wallets. The C2 address is stored on the Solana blockchain, so there's no server to take down.
Stage 1: Infection and Geofencing
The loader begins by checking for Russian locale settings. If detected, execution halts — a common indicator that threat actors want to avoid targeting jurisdictions where they operate. For all other systems, it queries the Solana blockchain's getSignaturesForAddress RPC method to retrieve transaction memos containing the Stage 2 payload URL, encoded in base64.
Two Solana wallets distribute Stage 2 payloads:
BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJ
Stage 2: Credential Harvesting
The second stage targets 71 browser extension wallet IDs plus developer and cloud credentials:
- npm tokens, Git tokens, VS Code credentials
- AWS, GCP, Azure, Docker, and Kubernetes secrets
- Full system profile
All collected data is zipped and exfiltrated to 217.69.3[.]152/wall.
Stage 3a: Hardware Wallet Phishing
A .NET WPF binary (Assaac.exe) monitors USB connections. When a Ledger or Trezor device is detected, it overlays a convincing fake recovery-phrase dialog. The 24-word seed phrases entered by the victim are transmitted to 45.150.34[.]158.
Stage 3b: The Chrome Extension RAT
The Node.js RAT installed at %APPDATA%\QtCvyfVWKH\index.js uses DHT lookup (public key 3c90fa0e84dd76c94b1468f38ed640945d72bc12) for C2 discovery, with Solana wallet BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC as fallback.
It then force-installs a malicious Chrome extension. The extension resolves its own C2 via Solana wallet DSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW and implements:
- Keylogging: Hooks
keydown,keyup,keypress,input,change,focus, andblurevents - Cookie theft: Targeted surveillance on Bybit (
.bybit.com) session cookies - Screenshots: Base64-encoded captures of all browser tabs
- Clipboard intercept:
navigator.clipboard.readText() - Session token exfiltration: Secure-token and deviceid cookies
- DOM snapshots and browser fingerprinting
Indicators of Compromise
IP addresses:
45.32.150[.]251— Stage 2 delivery, WebSocket RAT port 4787217.69.3[.]152— Exfiltration (Stage 2:/wall, Stage 3:/log)217.69.0[.]159— DHT bootstrap port 1000045.150.34[.]158— Hardware wallet seed phrase exfil
File hashes (SHA-256):
- Ledger/Trezor phishing binary (
Assaac.exe):06fab21dc276e3ab9b5d0a1532398979fd377b080c86d74f2c53a04603a43b1d - Browser credential stealer (x64):
f171c383e21243ac85b5ee69821d16f10e8d718089a5c090c41efeaa42e81fca - Browser credential stealer (x86):
9df62cefd87784c7ee1ca8b4e6fc49737a90492fa6c23901e3b7981b18c6c988 - HVNC module (x64):
de81eacd045a88598f16680ce01bf99837b1d8170c7fc38a18747ef10e930776
Registry persistence:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateAppHKCU\Software\Microsoft\Windows\CurrentVersion\Run\UpdateLedger→%TEMP%\SKuyzYcDD.exe
Scheduled task: UpdateApp runs AghzgY.ps1 at startup with highest privileges
Solana C2 wallets:
BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC6YGcuyFRJKZtcaYCCFba9fScNUvPkGXodXE1mJiSzqDJDSRUBTziADDHSik7WQvSMjvwCHFsbsThrbbjWMoJPUiW
Why This Is Hard to Stop
The combination of Solana blockchain C2 and a browser extension RAT is deliberately difficult to remediate. Blocking the C2 IP doesn't help — the malware resolves new C2 addresses by reading Solana transaction memos. Removing the npm package after infection doesn't help — the Chrome extension is already installed. A full credential rotation and browser profile rebuild is the only reliable recovery path.