GlassWorm Malware Uses Solana Dead Drops to Deliver RAT and Steal Browser, Crypto Data

Cybercriminals have found a new, sophisticated way to hide their infrastructure from the eyes of security researchers by utilizing public blockchain networks. The latest evolution of the campaign known as GlassWorm demonstrates how traditional infection techniques merge with modern Web3 technologies to create a multi-stage data theft process. Attackers use the Solana network as a "dead drop"—a silent contact point used to securely relay instructions and Command and Control (C2) server addresses to infected machines.

The GlassWorm operational mechanism is precise and geared toward maximum effectiveness in both corporate and private environments. Instead of relying on static IP addresses that are easily blocked at the firewall level, the malware reads data stored in transactions on the Solana blockchain. This makes the control infrastructure incredibly resilient to take-down attempts by law enforcement, as removing data from a public blockchain is virtually impossible. This approach allows attackers to dynamically update campaign parameters without needing to modify the malware code itself.

The Illusion of Productivity: Fake Google Docs

A key element of the GlassWorm arsenal is a malicious extension for the Google Chrome browser that poses as an official, offline version of Google Docs. The user, convinced they are installing a useful office tool, actually introduces an advanced Remote Access Trojan (RAT) into their system. This extension runs in the background, integrating deeply with browser processes and monitoring nearly every activity of the victim.

The capabilities of this tool are terrifyingly broad. According to researchers, GlassWorm can record every keystroke (keylogging), allowing it to capture passwords entered on any website. Furthermore, the malware takes screenshots at critical moments and steals cookies and session tokens. The latter is particularly dangerous as it allows attackers to hijack active sessions in online banking or cloud services without needing to provide a password or pass through two-factor authentication (2FA).

Targeting Cryptocurrencies and Browser Data

In the era of digital finance, GlassWorm is not limited to traditional login data. The campaign shows a strong focus on stealing cryptocurrency assets. The malware searches local system files for private keys, mnemonic phrases, and data from wallets installed as browser plugins. The combination of stealing data from Google Chrome and monitoring the system clipboard means that every crypto transaction performed on an infected computer carries an enormous risk.

The multi-stage GlassWorm framework allows for the installation of additional modules depending on what the attackers find on the victim's computer. If the system turns out to be part of a corporate network, the RAT can serve as a foothold for further penetration of the company's infrastructure. Utilizing lateral movement techniques—moving within the network—becomes significantly easier when the attacker has full remote access and a set of stolen administrator credentials.

• Credential Theft: Capturing logins and passwords directly from browser forms.
• Session Exfiltration: Copying session tokens to bypass MFA mechanisms.
• Visual Monitoring: Regularly taking screenshots of the desktop and application windows.
• Web3 Attacks: Specialized modules for detecting and emptying cryptocurrency wallets.

From VPN to Zero Trust Architecture

Traditional access security methods, such as standard VPN connections, are proving insufficient against GlassWorm-class threats. When an endpoint device is infected with a RAT, a secure VPN tunnel can actually become a highway for the attacker, allowing them to move freely through company resources. The answer to this escalation is modernizing the security approach and implementing a Zero Trust Network Access (ZTNA) model.

Instead of trusting every device inside the network, ZTNA assumes that every connection must be verified based on user identity, device health, and the context of the access attempt. Connecting users directly to specific applications rather than the entire network effectively eliminates the possibility of lateral movement. In the context of campaigns like GlassWorm, where malware masks itself as legitimate office software, restrictive application control and constant monitoring for traffic anomalies to unusual endpoints (like Solana network nodes) become a critical line of defense.

Defense strategies today must evolve faster than hacker methods. The use of Solana dead drops shows that the line between financial technologies and cybercriminal tools is completely blurring. Companies that do not move away from outdated perimeter-based models will be exposed to losses that no standard insurance policy can repair. The future of data protection lies in the total abandonment of default trust in favor of granular access and continuous authorization of every process in the system.