MacOS Archives - MASSIVE News

CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks

wiredgorilla — Wed, 10 Jun 2026 17:00:07 +0000

The technology sector has, for the past several years, been the most targeted industry among eCrime and state-sponsored adversaries whose motivations span financial gain, long-term intelligence collection, and industrial espionage.

Modern tech companies are building the world’s most valuable and targeted assets. Their cutting-edge innovations, now including AI, represent competitive advantage and heightened risk. Adversaries are taking aim, and defenders that understand them are best equipped to stop them.

The CrowdStrike 2026 Technology Threat Landscape Report, based on intelligence from the CrowdStrike Counter Adversary Operations team, details the trends and events that defined the technology threat landscape from April 1, 2025 through March 31, 2026. Its analysis reveals which adversaries target tech entities, and the methods they use, so organizations can prepare to face an evolving threat landscape.;

Learn more: Download the CrowdStrike 2026 Technology Threat Landscape Report

Nation-State Adversaries Set Sights on Technology

Based on observed targeting patterns, more than 58% of state-sponsored targeted intrusions were attributed to China-nexus adversaries, which also posed the greatest intelligence collection threat to tech organizations. Adversaries including MURKY PANDA, MUSTANG PANDA, OVERCAST PANDA, SUNRISE PANDA, and WARP PANDA targeted the tech sector more than any other industry.

Their operations appear to be driven by interest in technology development, intellectual property, and information aligning with the Chinese Communist Party’s intelligence collection goals. According to CrowdStrike threat intelligence, China’s strategic imperative is to achieve technological self-sufficiency and competitive advantage in key emerging technologies, so AI capabilities are likely a high-value target for them. In addition to this data, China-nexus adversaries seek access to downstream customer environments that can enable supply chain compromise.

Instances of China-nexus cyber activity against the tech sector:

SUNRISE PANDA consistently targeted tech entities in East and Southeast Asia, particularly mail infrastructure that may provide access to government communications.
MURKY PANDA conducted password-spraying attacks against more than 340 primarily U.S.-based organizations across sectors, with tech among the most affected.
WARP PANDA repeatedly targeted North American tech organizations, where they exploited vulnerabilities and maintained persistent access.

China-nexus adversaries aren’t the only nation-state actors infiltrating tech companies. CrowdStrike observed the Democratic People’s Republic of Korea (DPRK) adversaries including FAMOUS CHOLLIMA, LABYRINTH CHOLLIMA, and STARDUST CHOLLIMA also targeted the technology sector — historically a key target for DPRK insider threat activity due to remote, high-salary roles.

FAMOUS CHOLLIMA accounted for 47% of all state-sponsored hands-on-keyboard operations against the tech sector, meaning they were most active in manual operations over traditional malware. In their IT worker infiltration campaigns, they sought fraudulent employment at tech companies across North America, Europe, and Asia. Our findings indicate their primary motivation is financial gain; revenue from these attacks goes toward the regime.

DPRK-nexus adversaries also pursued supply chain compromise: STARDUST CHOLLIMA compromised the Axios npm package, downloaded 100 million times per week, in operations that likely exposed millions of downstream users and poisoned open-source supply chains.

eCrime Adversaries Accelerate Extortion Operations

Tech entities are a key target for eCrime adversaries due to opportunities to disrupt operations and their vast stores of monetizable information. eCrime activity made up 65% of hands-on-keyboard operations targeting tech. Initial access brokers advertised access to 277 technology companies, a nearly 30% increase that indicates heightened demand for identity-driven access.

Most big game hunting (BGH) activity targeted North America-based technology entities. BGH adversaries named 572 technology organizations on dedicated leak sites for extortion, far surpassing other sectors. In the same time frame, BGH adversaries named only 16 law enforcement and nine defense organizations.

Instances of eCrime activity against the tech sector:

Multiple eCrime threat actors used OpenClaw-related lures to distribute malware, exploiting the surge in AI adoption. A February 2026 campaign distributed a new macOS information stealer via fake OpenClaw skills.
The Crimson Collective group claimed to access and steal data from the private code repositories of a software development company; they purportedly accessed 570GB of data across 28,000 projects.
An unknown threat actor operating Glassworm malware compromised 350 GitHub repositories to inject malicious code.

The technology sector is one of the most, if not the most, persistently targeted industries in the global threat landscape. Tech organizations must be aware of threats to best prepare to face them. The CrowdStrike 2026 Technology Threat Landscape Report provides CrowdStrike’s observations of the themes and trends that defined this sector. Download the full report to understand how today’s adversaries are targeting tech and how to strengthen defenses.

Additional Resources

The post CrowdStrike 2026 Technology Threat Landscape Report: China’s Ambitions Fuel Attacks appeared first on MASSIVE News.

Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

wiredgorilla — Mon, 08 Jun 2026 16:00:09 +0000

On May 26, 2026, at 14:00 UTC, the CrowdStrike Counter Adversary Operations team executed a coordinated takedown of the Glassworm botnet, a global threat targeting software developers through the open-source supply chain. In collaboration with Google and the Shadowserver Foundation, we struck all four of Glassworm’s command-and-control (C2) channels simultaneously, severing the operators from their infected machines and their ability to deliver new malicious payloads.

This takedown matters beyond the botnet. Glassworm marked a significant shift in the threat landscape that should serve as a wake-up call for every organization that ships or consumes software. Adversaries are no longer just targeting products, they’re targeting the developers who build them.

The Threat: Targeting Developers

Since at least early 2025, Glassworm operators have systematically targeted software developers, a population with access to source code repositories, cloud platforms, CI/CD pipelines, and package registries. Developers represent uniquely high-value targets: compromising a single developer’s workstation can cascade into a supply-chain compromise that impacts thousands of downstream organizations and users.

Glassworm’s operators exploited this reality with a multi-pronged campaign:

Trojanized VSCode extensions were published to the OpenVSX marketplace, disguised as popular tools like time trackers and code formatters. The malicious extensions targeted not only VSCode but also Cursor, Positron, Windsurf, VSCodium, and more.
Compromised npm and Python packages introduced malicious code through postinstall hooks and setup scripts — executing silently during routine dependency installation.
More than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections, with malicious code force-pushed into default branches.

This cross-platform operation affected Windows, macOS, and Linux systems, with capabilities spanning information theft, credential harvesting, and a full-featured Node.js remote access tool dubbed GlasswormRAT.

A Coordinated Disruption

Glassworm’s operators built their infrastructure for resilience. The botnet’s C2 architecture relied on four distinct channels designed to resist traditional takedown efforts:

Solana blockchain: C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means.
BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.
Public calendar service: Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.

The combination of blockchain, peer-to-peer, and legitimate web services as resolution layers was designed to be resilient against takedowns — a dynamic front protecting the actual C2 servers behind multiple layers of indirection.

Disrupting this architecture required precision and timing. Taking down only one channel would have left the others operational, allowing the operators to quickly reconstitute. All four channels had to be disrupted simultaneously in a coordinated effort. As a result, infected machines can no longer receive new instructions or payloads.

The Example This Sets

The Glassworm takedown sets a model for how the security community must approach supply-chain threats going forward.

The operators behind Glassworm are well-resourced and persistent. Over the course of more than a year, they continuously evolved: adopting new programming languages (from JavaScript to Rust to Zig), expanding across package ecosystems (VSCode, npm, PyPI, GitHub), and building redundant infrastructure designed to survive takedown attempts. Left unchecked, their access to developer credentials and systems posed ongoing risk of high-impact supply-chain compromises affecting organizations far beyond the initially infected developers.

The criminals are likely based in Russia. The evidence is a classic: The malware checks the victim’s locale, language settings, and timezone at runtime, and quietly exits if it determines the machine is in a CIS country, a well-known tactic among cybercriminals in the region who avoid targeting systems close to home. Russian-language comments appear throughout the source code. No single indicator is proof on its own — locale checks can be copied, and code comments may reflect AI tooling rather than a native speaker — but the pattern is clear and consistent across more than a year of observed activity.

This case demonstrates:

Proactive disruption of cyber threats is achievable, even against infrastructure deliberately designed for resilience.
Precision strikes can cripple criminal operations without requiring years of judicial process, by targeting the technical dependencies that adversaries cannot easily replace.
Cross-sector collaboration works. Combining threat intelligence from private industry with law enforcement authority and platform cooperation from technology companies creates the conditions for decisive action.
Disruption liberates victims. By severing command-and-control, infected machines are freed from adversary control, giving organizations the window they need to detect and remediate compromises.

How to Identify Infections

To help organizations determine whether they have been affected by Glassworm, we are sharing a key network indicator: All Glassworm-infected machines now beacon to the benign CrowdStrike-operated IP address 164.92.88[.]210. Organizations should review network logs and endpoint telemetry for connections to this address. Any match indicates a Glassworm infection that requires immediate remediation. The following YARA rules can be used to confirm infections on identified hosts:

rule CrowdStrike_GlasswormRat_01 : glassworm glasswormrat 
{
    meta:
        copyright = "(c) 2026 CrowdStrike Inc."
        description = "Characteristic strings in Glassworm's RAT script"
        last_modified = "2026-03-23"
        malware_family = "GlasswormRAT"
    strings:
        $download = "DownloadManager" ascii
        $socks = "start_socks" ascii
        $nodejs = "https://nodejs.org/download/release" ascii
        $dht = "bootstrap" ascii
    condition:
        all of them
}

rule CrowdStrike_GlasswormDownloader_01 : glassworm 
{
    meta:
        copyright = "(c) 2026 CrowdStrike Inc."
        description = "Characteristic strings in the obfuscated python installer Glassworm variant"
        last_modified = "2026-03-13"
        malware_family = "Glassworm"
    strings:
        $zlib = "__import__('zlib')" ascii
        $decomp = "decompress(" ascii
        $lambda = "lambda" ascii
        $exec = /exec(compile(.{5,20}, '<>', 'exec'))/
    condition:
        all of them and filesize < 10KB
}

Detection Alone Is Not Enough

The scope of Glassworm’s campaign illustrates a hard truth about the state of software supply-chain security: Defending against these threats through after-the-fact detection alone is virtually impossible. Malicious packages are installed through dependency updates in seconds, and detections usually happen when the harm is already done.

There are dozens of package ecosystems — npm, PyPI, OpenVSX, GitHub repositories — each with millions of packages and limited built-in security controls. Attackers can publish malicious code and reach thousands of victims within minutes. The Glassworm operators cycled through these package ecosystems while maintaining consistent access to developer machines.

This is why efforts to secure the software supply chain must be combined with a more aggressive posture against already established threats. This requires going beyond detection to actively dismantle the infrastructure that threats like Glassworm depend on.

Conclusion

This type of supply chain attack seeks maximum scale, minimum effort, and stealth. The software supply chain remains one of the most consequential attack surfaces in modern computing. Adversaries are turning an organization’s dependencies on tools, updates, and libraries into weaponized delivery mechanisms and force multipliers. The barrier to poisoning a package or extension is low; the potential blast radius is enormous. As long as developer environments, build pipelines, and code repositories remain under-protected, every organization that consumes software inherits the risk of everyone who produces it. Glassworm demonstrates that attackers know this and are investing in resilient infrastructure to maintain persistent access to developer ecosystems.

The security community — vendors, law enforcement agencies, platform operators, and the open-source ecosystem — must respond with equal determination. We need more operations and coordinated disruptions like this one. CrowdStrike is committed to taking the fight to the adversaries.

Additional Resources

The post Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet appeared first on MASSIVE News.

Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet

wiredgorilla — Fri, 29 May 2026 06:00:06 +0000

The Threat: Targeting Developers

Glassworm’s operators exploited this reality with a multi-pronged campaign:

Trojanized VSCode extensions were published to the OpenVSX marketplace, disguised as popular tools like time trackers and code formatters. The malicious extensions targeted not only VSCode but also Cursor, Positron, Windsurf, VSCodium, and more.
Compromised npm and Python packages introduced malicious code through postinstall hooks and setup scripts — executing silently during routine dependency installation.
More than 300 GitHub repositories were poisoned using stolen developer credentials harvested from earlier Glassworm infections, with malicious code force-pushed into default branches.

A Coordinated Disruption

Glassworm’s operators built their infrastructure for resilience. The botnet’s C2 architecture relied on four distinct channels designed to resist traditional takedown efforts:

Solana blockchain: C2 server addresses are encoded in the memo fields of blockchain transactions, creating an immutable, publicly accessible dead-drop that cannot be taken offline through conventional means.
BitTorrent Distributed Hash Table (DHT): The GlasswormRAT queries the BitTorrent peer-to-peer network for configuration data stored against hardcoded public keys, leveraging a global decentralized network with no single point of failure.
Public calendar service: Glassworm uses Google Calendar event titles as dead-drop locations for Base64-encoded C2 paths.
Direct server connections: Traditional C2 infrastructure hosted on commercial VPS providers served as the final payload delivery mechanism.

The Example This Sets

The Glassworm takedown sets a model for how the security community must approach supply-chain threats going forward.

This case demonstrates:

Proactive disruption of cyber threats is achievable, even against infrastructure deliberately designed for resilience.
Precision strikes can cripple criminal operations without requiring years of judicial process, by targeting the technical dependencies that adversaries cannot easily replace.
Cross-sector collaboration works. Combining threat intelligence from private industry with law enforcement authority and platform cooperation from technology companies creates the conditions for decisive action.
Disruption liberates victims. By severing command-and-control, infected machines are freed from adversary control, giving organizations the window they need to detect and remediate compromises.

How to Identify Infections

rule CrowdStrike_GlasswormRat_01 : glassworm glasswormrat 
{
    meta:
        copyright = "(c) 2026 CrowdStrike Inc."
        description = "Characteristic strings in Glassworm's RAT script"
        last_modified = "2026-03-23"
        malware_family = "GlasswormRAT"
    strings:
        $download = "DownloadManager" ascii
        $socks = "start_socks" ascii
        $nodejs = "https://nodejs.org/download/release" ascii
        $dht = "bootstrap" ascii
    condition:
        all of them
}

rule CrowdStrike_GlasswormDownloader_01 : glassworm 
{
    meta:
        copyright = "(c) 2026 CrowdStrike Inc."
        description = "Characteristic strings in the obfuscated python installer Glassworm variant"
        last_modified = "2026-03-13"
        malware_family = "Glassworm"
    strings:
        $zlib = "__import__('zlib')" ascii
        $decomp = "decompress(" ascii
        $lambda = "lambda" ascii
        $exec = /exec(compile(.{5,20}, '<>', 'exec'))/
    condition:
        all of them and filesize < 10KB
}

Detection Alone Is Not Enough

Conclusion

Additional Resources

The post Disrupting Glassworm: Inside CrowdStrike’s Takedown of a Developer-Targeting Botnet appeared first on MASSIVE News.