GlassWorm Malware Uses Solana Blockchain Dead Drops to Deliver RAT and Steal Browser & Crypto Data

Photo by Boitumelo on Unsplash

Key Takeaways

• GlassWorm is a newly identified malware family that abuses the Solana blockchain as a "dead drop" (a covert channel used to pass instructions without direct contact) to deliver a Remote Access Trojan (RAT) to infected machines.
• Once installed, the RAT harvests saved browser credentials, session cookies, and cryptocurrency wallet data — targeting both individuals and small businesses.
• Because the command infrastructure is hosted on a public, censorship-resistant blockchain, traditional domain-blocking and IP-blocking defenses largely fail against this campaign.
• Applying cybersecurity best practices — including endpoint detection, browser hardening, and hardware wallet use — significantly reduces your exposure to this threat.

What Happened

Security researchers disclosed GlassWorm in March 2026, marking one of the first documented cases of a threat actor embedding malware command-and-control (C2) instructions directly inside Solana blockchain transactions. Here's what that means in plain terms: instead of pointing infected computers to a website or server that defenders can take down, GlassWorm's operators write their instructions into the permanent, public ledger of the Solana network. The malware reads those transactions like reading a message left in a public park — a technique intelligence agencies call a "dead drop."

The infection chain typically begins with a phishing email or a trojanized (secretly modified) software installer, often disguised as a legitimate crypto trading tool or browser extension. Once executed, the dropper (the initial malicious file that installs further payloads) queries specific Solana wallet addresses for encoded instructions, then downloads and runs a full-featured RAT — a Remote Access Trojan that gives attackers live control over the victim's computer.

From there, GlassWorm systematically harvests saved passwords, autofill data, browser session tokens (digital keys that keep you logged in to websites), and the private keys or seed phrases stored by software cryptocurrency wallets such as MetaMask, Phantom, and Exodus. Stolen data is exfiltrated (quietly sent out) to attacker-controlled servers, with the blockchain acting as a near-invisible coordination layer throughout. The campaign was active as of late March 2026, with victims observed across North America, Western Europe, and Southeast Asia.

Photo by Wyxina Tresse on Unsplash

Why It Matters for Your Organization's Security

GlassWorm's abuse of Solana is not just a clever trick — it represents a structural shift in how sophisticated malware evades detection, and it has direct implications for every organization that handles browser-based applications, SaaS logins, or digital assets.

Traditional defenses have a blind spot. Most corporate firewalls and DNS filtering tools block known malicious domains and IP addresses. GlassWorm sidesteps this entirely. The Solana blockchain is a legitimate, globally distributed public network. Blocking it would also break access to any decentralized finance (DeFi) application, NFT marketplace, or Web3 tool your employees or customers might use. Threat intelligence feeds that rely on domain reputation scores and IP blacklists will not flag a Solana RPC (Remote Procedure Call — the technical interface used to query the blockchain) endpoint as malicious, because it isn't one in isolation.

The browser is the new perimeter. Modern work happens inside browsers. Saved credentials, OAuth tokens (login shortcuts used by Google, Microsoft, and Slack sign-ins), and session cookies represent the keys to your entire SaaS stack. According to industry data from 2025, over 80 percent of data breaches involve compromised credentials. GlassWorm is specifically engineered to vacuum up exactly this category of data. A single infected employee laptop could hand attackers access to your company's cloud storage, HR platform, financial tools, and communication channels — all without triggering a traditional password reset alert, because the attacker is using a valid, stolen session token rather than guessing a password.

Cryptocurrency exposure is a business risk, not just a personal one. Small businesses increasingly hold crypto assets for payroll, vendor payments, or treasury diversification. GlassWorm targets software wallets aggressively. Unlike a compromised bank account, a drained crypto wallet has no fraud reversal mechanism. This makes data protection for digital assets a financial continuity issue, not just an IT concern.

Incident response complexity increases. When C2 communications flow through a public blockchain rather than a private server, forensic investigators face a harder task attributing attacks and fully scoping the breach. Standard network log analysis may show only outbound connections to legitimate Solana nodes, masking the true nature of the compromise. Organizations without mature incident response playbooks — documented step-by-step plans for handling a breach — will struggle to determine what was taken, when, and by whom.

Security awareness training becomes critical here: employees who recognize the warning signs of a trojanized installer or a suspicious browser extension prompt are the first line of defense against an attack that technical controls alone may not stop. Reinforcing cybersecurity best practices at the human layer is not optional when the technical layer is being deliberately circumvented.

Photo by Growtika on Unsplash

The AI Angle

The emergence of GlassWorm underscores why AI-powered threat intelligence platforms are becoming essential rather than aspirational. Because GlassWorm's C2 traffic blends into legitimate blockchain activity, signature-based detection tools (antivirus programs that match known malware patterns) are largely ineffective on their own. This is precisely the gap that behavioral AI fills.

Tools like CrowdStrike Falcon and SentinelOne Singularity use machine learning models trained on billions of process events to flag anomalous behavior — such as a browser process that suddenly begins querying blockchain RPC endpoints, or an application spawning child processes (launching sub-programs) that reach out to file-sharing services at odd hours. These platforms correlate weak signals across endpoints that a human analyst would likely miss in real time.

AI-driven data protection layers can also monitor for credential exfiltration patterns — unusually large encrypted uploads, new outbound connections to infrastructure in unexpected regions — and trigger automated containment before attackers can fully monetize stolen data. Organizations that integrate AI-assisted detection with their incident response workflows are significantly better positioned to detect GlassWorm-style campaigns early, when damage is still limited.

What Should You Do? 3 Action Steps

1. Harden Browsers and Enforce Credential Hygiene

Audit every browser profile on managed endpoints and remove saved passwords, replacing them with an enterprise password manager (such as 1Password Business or Bitwarden Teams) that stores credentials in an encrypted vault rather than in the browser. Enable hardware-bound passkeys wherever supported — these cannot be stolen by a RAT because they never leave the physical device. As a cybersecurity best practice, push browser policies via Group Policy or MDM (Mobile Device Management) to prevent installation of unauthorized extensions, which are a common GlassWorm delivery vector. Separately, move any business cryptocurrency holdings off software wallets and onto hardware wallets such as Ledger or Trezor, whose private keys are stored in isolated secure chips that remote malware cannot reach.

2. Deploy Behavioral Endpoint Detection and Enrich Your Threat Intelligence

If you are still relying solely on traditional antivirus, GlassWorm is a wake-up call. Deploy an Endpoint Detection and Response (EDR) solution — a security tool that records detailed process and network activity on each device and uses behavioral analysis to catch threats that match no known signature. Subscribe to at least one threat intelligence feed (structured data about active threats, indicators of compromise, and attacker tactics) and configure your EDR to automatically block connections to Solana RPC endpoints from non-approved applications. Incorporate GlassWorm's known indicators of compromise — specific file hashes, registry keys, and Solana wallet addresses used as dead drops — into your detection rules as they are published by your security vendor or by community sources like VirusTotal and MISP.

3. Update Your Incident Response Plan for Blockchain-Based Threats

Review your existing incident response playbook and add a specific scenario for blockchain-assisted malware. This means training your security team to query Solana transaction history for known malicious wallet addresses, to treat all outbound RPC traffic from non-Web3 applications as suspicious, and to immediately revoke and rotate all browser-stored session tokens on any device suspected of compromise — not just passwords. Conduct a tabletop exercise (a simulated walkthrough of how your team would respond to a breach) covering a GlassWorm-style infection to find gaps before a real attacker does. Pair this with renewed security awareness training for all staff, emphasizing the risks of installing unverified software and the importance of reporting unusual browser behavior promptly. Strong data protection outcomes depend on fast detection and a pre-rehearsed response — not improvisation under pressure.

Frequently Asked Questions

How does GlassWorm malware use the Solana blockchain to avoid detection by antivirus software?

GlassWorm stores its command-and-control instructions as encoded data inside legitimate Solana blockchain transactions. Because the Solana network is a public, trusted infrastructure used by millions of applications, antivirus tools and firewalls do not flag connections to it as inherently malicious. The malware reads these instructions by querying specific wallet addresses on the blockchain — a technique that bypasses domain blacklists entirely. Behavioral EDR tools that monitor what a process actually does, rather than just what it looks like, are the most reliable way to catch this pattern.

What types of data does the GlassWorm RAT steal from infected computers?

The Remote Access Trojan delivered by GlassWorm is designed to harvest a wide range of high-value data: saved usernames and passwords from all major browsers (Chrome, Edge, Firefox, Brave), active session cookies (which let attackers log into your accounts without needing your password), browser autofill data including payment card details, and private keys or seed phrases from software cryptocurrency wallets such as MetaMask, Phantom, and Exodus. In addition, the RAT gives attackers live remote access to the infected machine, meaning they can also capture screenshots, keystrokes, and files on demand.

How can small businesses protect cryptocurrency wallets from malware like GlassWorm?

The single most effective step is moving crypto assets off software wallets (applications installed on your computer or browser) and onto hardware wallets such as Ledger or Trezor. Hardware wallets store private keys in a dedicated secure chip that is physically isolated from the internet and cannot be accessed by malware running on your computer. For day-to-day transactions, keep only minimal balances in software wallets. Additionally, follow cybersecurity best practices by ensuring all devices that interact with crypto assets have behavioral EDR software installed, use a dedicated machine if possible, and never install wallet extensions from unverified sources.

What incident response steps should an organization take if they suspect a GlassWorm infection?

Act quickly and systematically. First, isolate the suspected device from the network immediately to prevent further data exfiltration. Second, revoke all browser session tokens and force re-authentication on every SaaS platform the device had access to — this closes the window even if credentials have already been stolen. Third, rotate all passwords stored in browsers on that device and any shared accounts it could access. Fourth, engage your EDR vendor or a managed security service provider to conduct a full forensic investigation, paying special attention to outbound connections to Solana RPC endpoints in your network logs. Finally, notify affected parties as required by applicable data protection regulations and update your incident response documentation with lessons learned.

Why is security awareness training important for stopping blockchain-based malware campaigns?

Blockchain-based malware like GlassWorm is specifically designed to evade technical controls, which means the human layer becomes disproportionately important. Most GlassWorm infections begin with a phishing email or a trojanized software download — both of which can be stopped by an alert, well-trained employee. Security awareness training teaches staff to scrutinize unexpected email attachments, verify software downloads through official channels, question requests for browser extension permissions, and report suspicious behavior immediately. Organizations with mature, regular security awareness programs consistently experience lower breach rates, because attackers find it harder to land the initial foothold that all subsequent stages of an attack depend on. Training should be updated to specifically address threats involving cryptocurrency tools and Web3 applications, which are increasingly used as lures.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.