GlassWorm RAT Hides in Solana Blockchain Dead Drops

GlassWorm Evolves: Blockchain as a Covert Command Channel

Cybersecurity researchers have identified a significant evolution in the GlassWorm malware campaign, one that signals a troubling new trend in how threat actors obscure their infrastructure. According to reporting from The Hacker News, GlassWorm now leverages the Solana blockchain as a so-called "dead drop" — a technique borrowed from traditional espionage tradecraft — to host and retrieve attacker-controlled command-and-control (C2) data without relying on conventional infrastructure that defenders can easily block or take down.

In practice, this means GlassWorm encodes configuration or payload delivery instructions directly into Solana blockchain transactions or account data. Because blockchain records are immutable and publicly accessible, the malware can retrieve attacker instructions at any time without needing to contact a dedicated C2 server. From a defender's standpoint, this is deeply problematic: you cannot take down a Solana transaction the way you can seize a domain or null-route an IP address.

The multi-stage framework itself is comprehensive in scope. Once a foothold is established, GlassWorm deploys a remote access trojan (RAT) capable of full system compromise, and then drops a malicious Google Chrome extension that masquerades as an offline version of Google Docs. This extension is the silent workhorse of the operation — it logs keystrokes in real time, dumps cookies and active session tokens, captures screenshots, and targets cryptocurrency wallet data stored within the browser environment. The combination of persistence, stealth, and data coverage makes this one of the more capable infostealer frameworks observed in 2026 to date.

Why Blockchain Dead Drops Change the Threat Landscape

Using blockchain networks as passive data repositories for malware operations is not entirely new — threat actors have experimented with Bitcoin and Ethereum in the past — but Solana's high transaction throughput and negligible fees make it a more practical and scalable option for operationalizing this technique. The speed at which transactions confirm on Solana means that attackers can update their dead drop instructions rapidly, effectively rotating payload configurations or switching targets with minimal overhead.

From a detection standpoint, outbound traffic to blockchain RPC endpoints or public Solana API nodes looks identical to legitimate Web3 application traffic. Organizations that have not specifically instrumented their network monitoring to flag or scrutinize such connections are, in effect, blind to this lateral channel. Traditional indicators of compromise — malicious domains, known bad IP ranges, suspicious DNS lookups — simply do not apply here in the conventional sense.

The malicious Chrome extension component deserves particular attention. Enterprise environments that allow employees to install browser extensions without IT vetting are especially exposed. An extension that impersonates a productivity tool like Google Docs is designed to exploit exactly the kind of low-scrutiny trust that browser extensions typically receive from end users. Once installed, the extension operates with persistent access to every authenticated session the browser touches — banking portals, SaaS platforms, internal tools, and cryptocurrency exchanges alike.

The crypto theft angle also cannot be dismissed as niche. With more organizations and finance teams holding or transacting in digital assets as part of treasury operations or vendor payments, the exposure to browser-resident crypto wallet theft has expanded well beyond individual retail investors.

What This Means For Your Business

The GlassWorm campaign is a clear signal that threat actors are actively engineering around the defenses that most organizations have invested in. If your security posture is built primarily around blocking known-bad domains and IP addresses, you have a meaningful gap when it comes to blockchain-assisted malware delivery. Here is what we recommend organizations prioritize in light of this threat:

• Audit and restrict browser extensions: Implement an allowlist policy for browser extensions across managed devices. Extensions should require IT or security team approval before installation. Tools like Google Chrome's ExtensionSettings policy or equivalent controls in your MDM can enforce this at scale. An extension impersonating Google Docs should never reach an end-user's browser in a managed environment.
• Monitor for anomalous blockchain API traffic: Review your proxy and firewall logs for connections to Solana RPC endpoints and public blockchain APIs (such as api.mainnet-beta.solana.com). While this traffic may be legitimate in some organizations, unexpected or high-frequency calls from endpoints that have no business reason to interact with blockchain infrastructure warrant investigation.
• Enforce session token hygiene: Stolen session tokens allow attackers to bypass multi-factor authentication entirely by replaying authenticated sessions. Short-lived tokens, continuous session validation checks, and device-bound session policies significantly reduce the window of exploitation after a theft event.
• Deploy endpoint detection with behavioral analysis: Signature-based detection will not catch novel GlassWorm variants before they are catalogued. Behavioral EDR solutions that flag unusual keystroke logging activity, unexpected screenshot capture, or browser process injection are your most reliable early-warning layer against this type of threat.
• Educate employees on extension-based phishing: Users who understand that a legitimate productivity tool will never suddenly prompt them to install a browser extension — especially one presented as an "offline" version of a cloud-native app — are meaningfully harder to compromise. Include browser extension social engineering scenarios in your security awareness training.

GlassWorm is a reminder that the infrastructure underpinning the internet is increasingly dual-use. Decentralized, censorship-resistant platforms designed to empower users also empower adversaries. The organizations that adapt their detection strategies to account for this reality will be far better positioned to contain the next wave of campaigns that follow this playbook.