GlassWorm Goes Mac: Fresh Infrastructure, New Tricks

Ruslan Mikhalov Chief of Threat Research at SOC Prime

GlassWorm Goes Mac: Fresh Infrastructure, New Tricks

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The threat actor behind GlassWorm has pivoted from Windows-focused activity to macOS, distributing malicious VS Code extensions that fetch encrypted JavaScript payloads through Solana blockchain–derived C2 pointers. This wave expands capability by adding hardware wallet trojanization while continuing broad credential theft across browsers, developer tooling, and the macOS Keychain. The infrastructure includes a Solana wallet address and an IP reused from earlier GlassWorm operations, suggesting continuity in operator tooling and hosting. Researchers observed 50,000+ downloads before the extensions were removed, indicating meaningful exposure across developer environments.

Investigation

Koi Security identified three malicious VS Code extensions on the Open VSX marketplace and linked their command-and-control workflow to a Solana wallet plus a shared IP address previously tied to GlassWorm. The implants incorporate a 15-minute execution delay, then decrypt and run an AES-256-CBC JavaScript payload. On macOS, persistence is established via LaunchAgents. Collection targets include browser wallets and desktop wallet data, developer access tokens, SSH keys, and macOS Keychain material. The malware stages stolen data under /tmp/ijewf/ before exfiltration to a server path resembling /p2p. It also attempts to replace legitimate hardware wallet companion apps—such as Ledger Live and Trezor Suite—with trojanized lookalikes to capture high-value secrets and transactions.

Mitigation

Tighten controls around developer tooling by enforcing extension allowlisting and requiring security review for VS Code extensions, particularly those sourced from open marketplaces. Deploy runtime detections for delayed execution patterns and suspicious creation or modification of LaunchAgents. Monitor and block suspicious outbound activity associated with Solana-derived C2 lookups, and add network detections for unusual connections to the identified reused IP. Require MFA for developer and cloud accounts and implement hardware wallet integrity checks (publisher validation, notarization/signature verification, and controlled software update channels).

Response

Trigger alerts on new or modified LaunchAgents, anomalous access to Keychain stores, and retrieval attempts from Solana-referenced C2 endpoints. Quarantine and remove the malicious VS Code extensions, then eradicate any associated LaunchAgent persistence. Perform targeted forensics on /tmp/ijewf/ to scope credential staging and confirm what data was collected. Validate the integrity of hardware wallet applications (Ledger Live, Trezor Suite) and re-install from trusted sources if tampering is suspected. Reset impacted credentials, rotate SSH keys and developer tokens, invalidate sessions, and expand hunting across endpoints for the same extension IDs, file paths, and persistence artifacts.

"graph TB %% Class Definitions classDef action fill:#99ccff classDef technique fill:#ffcc99 classDef operator fill:#ff9900 classDef tool fill:#cccccc %% Nodes action_initial_access["Action – Initial Access"] class action_initial_access action technique_vs_code_ext["Technique – T1176.002: Malicious VS Code IDE Extension Description: Adversary delivers a malicious extension for Visual Studio Code that executes code on the victim system."] class technique_vs_code_ext technique technique_delay["Technique – T1497.003: Execution Delay Description: Malware waits for a period (e.g., 15 minutes) before executing its payload to evade analysis."] class technique_delay technique technique_decrypt["Technique – T1027.009 / T1027.004: Decrypt AESu2011256u2011CBC Payload Description: Encrypted payload is decrypted inu2011memory using AESu2011CBC with a 256u2011bit key."] class technique_decrypt technique technique_c2_retrieve["Technique – T1573.001: Retrieve Endpoint from Solana Blockchain Description: C2 server address is stored on a public blockchain and fetched by the malware."] class technique_c2_retrieve technique technique_c2_fetch["Technique – T1048.003: Unencrypted Protocol Data Transfer Description: Malware contacts the C2 endpoint using an unencrypted protocol (e.g., HTTP)."] class technique_c2_fetch technique technique_persistence_agent["Technique – T1543.001: Install LaunchAgent Description: A LaunchAgent plist is placed in the useru2019s LaunchAgents directory for persistence."] class technique_persistence_agent technique technique_persistence_daemon["Technique – T1543.004: Install LaunchDaemon Description: A LaunchDaemon plist is placed in the system LaunchDaemons directory for persistence."] class technique_persistence_daemon technique technique_modify_plist["Technique – T1647: Modify PLIST File Description: Attacker edits the plist to alter launch behavior or add malicious commands."] class technique_modify_plist technique technique_dump_keychain["Technique – T1555.001 / T1555.002: Dump Keychain Description: Credential material from macOS Keychain is extracted."] class technique_dump_keychain technique technique_steal_keys["Technique – T1552.001 / T1552.004: Steal Private Keys and Tokens Description: Private cryptocurrency keys and authentication tokens are harvested."] class technique_steal_keys technique technique_stage_data["Technique – T1074: Data Staged Description: Collected files are copied to /tmp/ijewf for later exfiltration."] class technique_stage_data technique technique_archive["Technique – T1560.001 / T1560.003: Archive Collected Data Description: Data is compressed into an archive format (e.g., zip)."] class technique_archive technique technique_exfil["Technique – T1048.003: Exfiltration Over Unencrypted Nonu2011C2 Channel Description: Staged archive is sent out via an unencrypted channel not tied to the primary C2."] class technique_exfil technique technique_priv_esc["Technique – T1548.006: TCC Manipulation Description: macOS Transparency, Consent, and Control database is modified to gain higher privileges."] class technique_priv_esc technique technique_impact["Technique – T1496.002: Replace Ledger Live / Trezor Suite Description: Legitimate cryptocurrency wallet applications are swapped with trojanized versions to capture user assets."] class technique_impact technique %% Connections action_initial_access –>|uses| technique_vs_code_ext technique_vs_code_ext –>|triggers| technique_delay technique_delay –>|leads to| technique_decrypt technique_decrypt –>|establishes| technique_c2_retrieve technique_c2_retrieve –>|contacts| technique_c2_fetch technique_c2_fetch –>|installs| technique_persistence_agent technique_c2_fetch –>|installs| technique_persistence_daemon technique_persistence_agent –>|modifies| technique_modify_plist technique_persistence_daemon –>|modifies| technique_modify_plist technique_modify_plist –>|enables| technique_dump_keychain technique_dump_keychain –>|enables| technique_steal_keys technique_steal_keys –>|stores in| technique_stage_data technique_stage_data –>|archives| technique_archive technique_archive –>|exfiltrates via| technique_exfil technique_exfil –>|facilitates| technique_priv_esc technique_priv_esc –>|enables| technique_impact "

Attack Flow

Attack Narrative & Commands:
An attacker who has already compromised a low‑privileged macOS user account wishes to harvest a service account password stored in the Keychain under the label pass_users_for_script. To avoid dropping a separate binary, the attacker writes a one‑liner AppleScript that invokes the built‑in security tool via do shell script. The script is executed directly in the user’s session, producing a process creation event with the exact command line the Sigma rule matches.
```
# Create a test keychain item (only for demonstration; real attacker would target existing item)
security add-generic-password -a attacker -s pass_users_for_script -w SuperSecret123

# Execute the AppleScript that reads the password
osascript -e 'do shell script "security find-generic-password -s '''pass_users_for_script''' -w"'
```

Regression Test Script:

#!/usr/bin/env bash
set -euo pipefail

# Step 1: Ensure the target keychain entry exists (idempotent)
if ! security find-generic-password -s pass_users_for_script -w >/dev/null 2>&1; then
    security add-generic-password -a attacker -s pass_users_for_script -w SuperSecret123
fi

# Step 2: Execute the AppleScript that triggers the detection rule
echo "[+] Executing AppleScript to read the keychain entry..."
osascript -e 'do shell script "security find-generic-password -s '''pass_users_for_script''' -w"'

Cleanup Commands:

# Remove the test keychain item to leave the system clean
security delete-generic-password -s pass_users_for_script
echo "[+] Cleanup complete: test keychain entry removed."

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free

Name	Descripiton
PHPSESSID	Preserves user session state across page requests. Cookie generated by applications based on the PHP language. This is a general purpose identifier used to maintain user session variables. It is normally a random generated number, how it is used can be specific to the site, but a good example is maintaining a logged-in status for a user between pages.
sp_i	Used to store information about authenticated User.
sp_r	Used to store information about authenticated User.
sp_a	Used to store information about authenticated User.

Name	Descripiton
tuuid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
tuuid_last_update	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
um	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
umeh	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded.
na_sc_x	Used by the social sharing platform AddThis to keep a record of parts of the site that has been visited in order to recommend other parts of the site.
APID	Collects anonymous data related to the user's visits to the website.
IDSYNC	Collects anonymous data related to the user's visits to the website.
_cc_aud	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_cc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_dc	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
_cc_id	Collects anonymous statistical data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The purpose is to segment the website's users according to factors such as demographics and geographical location, in order to enable media and marketing agencies to structure and understand their target groups to enable customised online advertising.
dpm	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
acs	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
clid	Collects anonymous data related to the user's visits to the website, such as the number of visits, average time spent on the website and what pages have been loaded, with the purpose of displaying targeted ads.
KRTBCOOKIE_#	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PUBMDCID	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
PugT	Registers a unique ID that identifies the user's device during return visits across websites that use the same ad network. The ID is used to allow targeted ads.
ssi	Registers a unique ID that identifies a returning user's device. The ID is used for targeted ads.
_tmid	Registers a unique ID that identifies the user's device upon return visits. The ID is used to target ads in video clips.
wam-sync	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
wui	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
AFFICHE_W	Used by the advertising platform Weborama to determine the visitor's interests based on pages visits, content clicked and other actions on the website.
B	Collects anonymous data related to the user's website visits, such as the number of visits, average time spent on the website and what pages have been loaded. The registered data is used to categorise the users' interest and demographical profiles with the purpose of customising the website content depending on the visitor.
1P_JAR	These cookies are used to gather website statistics, and track conversion rates.
APISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
HSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
NID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SAPISID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
SIDCC	Security cookie to protect users data from unauthorised access.
SSID	Google set a number of cookies on any page that includes a Google reCAPTCHA. While we have no control over the cookies set by Google, they appear to include a mixture of pieces of information to measure the number and behaviour of Google reCAPTCHA users.
__utmx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.
__utmxx	This cookie is associated with Google Website Optimizer, a tool designed to help site owners improve their wbesites. It is used to distinguish between two varaitions a webpage that might be shown to a visitor as part of an A/B split test. This helps site owners to detemine which version of a page performs better, and therefore helps to improve the website.

Name	Descripiton
_hjid	Hotjar cookie. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInSample	This cookie is associated with web analytics functionality and services from Hot Jar, a Malta based company. It uniquely identifies a visitor during a single browser session and indicates they are included in an audience sample.
intercom-id-[xxx]	This cookie is used by Intercom as a session so that users can continue a chat as they move through the site.
intercom-session-[xxx]	Used to keeping track of sessions and remember logins and conversations.
demdex	Via a unique ID that is used for semantic content analysis, the user's navigation on the website is registered and linked to offline data from surveys and similar registrations to display targeted ads.
CookieConsent	Stores the user's cookie consent state for the current domain.
__cfduid	Used by the content network, Cloudflare, to identify trusted web traffic.
ss	These cookies enable the website to provide enhanced functionality and personalisation . They may be set by us or by third party providers whose services we have added to our pages. These services may include the Live Chat facility, Contact Us form(s), the Product Quotation forms and submission process, and the Email Newsletter sign up functionality .

Name	Descripiton
_ga	This cookie name is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page. Registers a unique ID that is used to generate statistical data on how the visitor uses the website. request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.
_gat	Used by Google Analytics to throttle request rate. This cookie name is associated with Google Universal Analytics, according to documentation it is used to throttle the request rate - limiting the collection of data on high traffic sites. It expires after 10 minutes.
_gid	This cookie name is asssociated with Google Universal Analytics. This appears to be a new cookie and as of Spring 2017 no information is available from Google. It appears to store and update a unique value for each page visited. Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
IDE	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
r/collect	Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.
test_cookie	Used to check if the user's browser supports cookies.
collect	Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
ads/user-lists/#	These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites.
c	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
khaos	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
put_#	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpb	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
rpx	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.
tap.php	Registers anonymised user data, such as IP address, geographical location, visited websites, and what ads the user has clicked, with the purpose of optimising ad display based on the user's movement on websites that use the same ad network.