{
	"id": "481fad74-e1cf-4bfe-a106-16274a8a39ac",
	"created_at": "2026-04-29T02:21:57.413594Z",
	"updated_at": "2026-04-29T08:22:10.081061Z",
	"deleted_at": null,
	"sha1_hash": "14d66f2872fbec9e47bf2cc7db5748b058bf841a",
	"title": "GlassWorm Goes Native: Same Infrastructure, Hardened Delivery",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 278968,
	"plain_text": "GlassWorm Goes Native: Same Infrastructure, Hardened Delivery\r\nBy Lotan Sery,,\r\nArchived: 2026-04-29 02:12:01 UTC\r\nGlassWorm is back. Again. Since we first exposed this campaign in October, we've seen two waves, over 45,000\r\nvictims, and one attacker who won't quit.\r\nAfter our last disclosure, things went quiet for a few weeks. Then, on November 22, a familiar Solana wallet woke\r\nup with a fresh transaction and a new C2 IP. And within days, malicious extensions started appearing again.\r\nBut this wave is different.\r\nThe invisible Unicode technique we exposed in our first report? Completely gone.\r\nInstead, we found compiled Rust binaries. All the functionality we decoded from those invisible characters –\r\nSolana C2 lookups, AES decryption, payload staging – is now compiled into native code that you can't just decode\r\nanymore. You'd need to reverse engineer Rust binaries to see what's happening.\r\nThis time they also expanded beyond OpenVSX, targeting Microsoft's official VSCode marketplace too,\r\npublishing clean extensions first, then updating them with malware.\r\nThe wallet and attack chain remain the same, but the payload is now hidden inside native binaries.\r\nLet's look at Iconesvscode , an extension that impersonates the popular vscode-icons theme :\r\nThe fake Iconesvscode extension on Koidex\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 1 of 6\n\nThe real vscode-icons extension on Koidex\r\nVersion 12.15.0? Clean. A legitimate icon theme with 22,765 lines of JavaScript doing exactly what an icon theme\r\nshould do.\r\nBut when versions 12.15.1 and 12.15.2 came out, the entire codebase got replaced with this:\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 2 of 6\n\nRust binary loader\r\nOnly 33 lines remained, no icon theme functionality, just a binary loader that detects your operating system and\r\nexecutes a native binary.\r\nThose .node files – darwin.node for macOS, os.node for Windows – are Rust binaries, and they contain\r\neverything.\r\nWhat's Inside the Binaries\r\nEach extension come packed with these native binaries \r\nThe structure:\r\nRust-based (the project is literally named rust_implant )\r\nSeparate builds for Windows ( os.node ) and macOS ( darwin.node )\r\nAround 2.4 MB each\r\nNode.js addon format\r\nThe functionality:\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 3 of 6\n\nQueries Solana blockchain for C2 instructions\r\nFetches and decrypts payloads (Base64, AES-256-CBC)\r\nGoogle Calendar fallback built in\r\nDeveloper traces:\r\nThe macOS binary contains paths like:\r\n/Users/davidioasd/Downloads/rust_implant/target/release/deps/librust_implant.dylib\r\n/Users/davidioasd/.cargo/registry/src/index.crates.io-1949cf8c6b5b557f/http-body-util-0.1.3/src/combinators/collect.rs\r\nThat davidioasd string matches patterns we saw in the first wave binaries. Same developer, same campaign,\r\nweeks apart.\r\nWhat's Next\r\nThe extensions have all been taken down.\r\nThe Solana wallet is still there, the attacker's infrastructure is still up, and they've shown twice now that\r\ntakedowns don't stop them for long.\r\nWe're continuing to monitor. Based on the pattern, this probably isn't the last wave.\r\nIOCs\r\nExtensions\r\nOpenVSX:\r\nbphpburn.icons-vscode\r\nclangdcode.clangd-vscode\r\ncsvmech.csv-sql-tsv-rainbow\r\ncweijamysq.sync-settings-vscode\r\neamodas.shiny-vscode\r\nflutcode.flutter-extension\r\niconkief.icon-theme-material\r\nmsjsdreact.react-native-vscode\r\nsaoudrizvsce.claude-dev\r\nsaoudrizvsce.claude-devsce\r\nsolblanco.svelte-vscode\r\nsvltsweet.svetle-for-cursor\r\ntailwind-nuxt.tailwindcss-for-react\r\nvitalik.solidity\r\nyamlcode.yaml-vscode-extension\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 4 of 6\n\nMicrosoft VSCode:\r\nbphpburnsus.iconesvscode\r\niconkieftwo.icon-theme-materiall\r\nclangdcode.clangd-vsce\r\ncodevsce.codelddb-vscode\r\ncsvmech.csvrainbow\r\ncweijamysq.sync-settings-vscode\r\ndart-vsc.code-dart\r\nflutcode.flutter-extension\r\nklustfix.kluster-code-verify\r\nlyywemhan.code-formatter-and-minifier-vscode\r\nmsjsdreact.react-native-vsce\r\nprettier-vsc.vsce-prettier\r\nprisma-inc.prisma-studio-assistance\r\nredmat.vscode-quarkus-pro\r\nsaoudrizvsce.claude-devsce\r\nsolblanco.svetle-vsce\r\nvims-vsce.vscode-vim\r\nvsceue.volar-vscode\r\nyamlcode.yaml-vscode-extension\r\nRust Implants (SHA-256)\r\ndarwin.node\r\n026873b940176d103d45b41c9fba73f14cfcaca60e3117be81d2eadef85a4d17\r\n9bd105ce732218f30719fd69d4555967b362d37f4f6aec04741c18aaa7411a73\r\nfb07743d139f72fca4616b01308f1f705f02fda72988027bc68e9316655eadda\r\nos.node\r\ncbb3f830731fe2c9194f7fe5aa55479cffdae184039b0df078b1394209d7a49f\r\n29875e74f033c819c1acab58ef08bc35646aab5f4a2747ee0933ca41150d7099\r\n6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2\r\nCommand \u0026 Control:\r\n217.69.13.229\r\n45.76.45.151\r\n45.32.151.157\r\n107.191.62.170\r\n104.238.191.54 (exfiltration server)\r\n108.61.208.161 (exfiltration server)\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 5 of 6\n\nSource: https://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nhttps://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.koi.ai/blog/glassworm-goes-native-same-infrastructure-hardened-delivery"
	],
	"report_names": [
		"glassworm-goes-native-same-infrastructure-hardened-delivery"
	],
	"threat_actors": [],
	"ts_created_at": 1777429317,
	"ts_updated_at": 1777450930,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14d66f2872fbec9e47bf2cc7db5748b058bf841a.pdf",
		"text": "https://archive.orkl.eu/14d66f2872fbec9e47bf2cc7db5748b058bf841a.txt",
		"img": "https://archive.orkl.eu/14d66f2872fbec9e47bf2cc7db5748b058bf841a.jpg"
	}
}