Back to Intelligence

Defending Against GlassWorm: Mitigating Solana Dead Drops and Chrome Extension RATs

SA
Security Arsenal Team
March 25, 2026
5 min read

Defending Against GlassWorm: Mitigating Solana Dead Drops and Chrome Extension RATs

Cybersecurity adversaries continuously refine their tactics to evade detection, and the evolution of the GlassWorm campaign is a prime example. Security researchers have flagged a sophisticated update to this malware framework that now leverages the Solana blockchain for command-and-control (C2) communications—specifically using "dead drops"—to deliver a Remote Access Trojan (RAT).

What makes this campaign particularly dangerous for enterprises is its delivery method: a malicious Google Chrome extension masquerading as an offline version of Google Docs. Once installed, this RAT acts as a comprehensive information stealer, logging keystrokes, dumping cookies and session tokens, capturing screenshots, and targeting cryptocurrency data. For security teams, this represents a blind spot in traditional defenses, as it abuses legitimate blockchain infrastructure and trusted browser mechanisms.

Technical Analysis

GlassWorm represents a multi-stage framework designed for persistence and data exfiltration.

  • Attack Vector: The malware uses the Solana blockchain to hide payloads. By encoding commands or malicious URLs within the memo fields of legitimate-looking transactions (dead drops), attackers can bypass traditional network traffic inspection. Solana traffic is often allowed through corporate firewalls, and the payload retrieval looks like standard node synchronization.
  • Payload: The primary payload is a malicious Google Chrome extension. The extension spoofs the appearance of a legitimate "Google Docs Offline" tool to deceive users into granting necessary permissions.
  • Capabilities: Upon installation, the extension functions as a RAT and stealer. It captures:
    • Keystrokes (keylogging)
    • Browser cookies and session tokens (leading to account takeover)
    • Screenshots
    • Cryptocurrency wallet data
  • Affected Systems: Windows systems running Google Chrome. Organizations allowing unrestricted browser extension installations are at the highest risk.
  • Severity: High. The use of blockchain for C2 makes traffic analysis difficult, and the browser-based payload allows for persistent access within the user's browser context, often bypassing system-level antivirus heuristics.

Defensive Monitoring

Detecting GlassWorm requires a shift in focus from traditional network signatures to behavioral analysis and browser integrity. Security teams should implement the following monitoring queries to identify potential compromises.

1. KQL for Microsoft Sentinel (Detecting Suspicious Chrome Extensions)

This query helps identify recently installed Chrome extensions that are not part of your organization's allowlist or have vague publisher details, which is common in malicious campaigns like GlassWorm.

Script / Code
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~("chrome.exe", "msedge.exe")
| where ProcessCommandLine has "--load-extension"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend ExtensionPath = extract(@"--load-extension=([^"]+)", 1, ProcessCommandLine)
| summarize by ExtensionPath, DeviceName, Timestamp

2. PowerShell Script (Audit Chrome Extensions)

Use this script on endpoints to enumerate installed Chrome extensions. This can be deployed via Intune or other EDR tools to inventory extensions and flag the fake "Google Docs Offline" or other unauthorized software.

Script / Code
$ChromeBasePath = "$env:LOCALAPPDATA\Google\Chrome\User Data"
$Extensions = @()

if (Test-Path $ChromeBasePath) {
    $Profiles = Get-ChildItem -Path $ChromeBasePath -Directory | Where-Object { $_.Name -match "Default|Profile" }
    foreach ($Profile in $Profiles) {
        $ExtPath = Join-Path -Path $Profile.FullName -ChildPath "Extensions"
        if (Test-Path $ExtPath) {
            $Folders = Get-ChildItem -Path $ExtPath -Directory
            foreach ($Folder in $Folders) {
                $VersionFolder = Get-ChildItem -Path $Folder.FullName -Directory | Sort-Object LastWriteTime -Descending | Select-Object -First 1
                $ManifestFile = Join-Path -Path $VersionFolder.FullName -ChildPath "manifest."
                if (Test-Path $ManifestFile) {
                    $Manifest = Get-Content $ManifestFile -Raw | ConvertFrom-Json
                    $Extensions += [PSCustomObject]@{
                        Profile     = $Profile.Name
                        ID          = $Folder.Name
                        Name        = if ($Manifest.name) { $Manifest.name } else { "Unknown" }
                        Version     = if ($Manifest.version) { $Manifest.version } else { "Unknown" }
                        Path        = $Folder.FullName
                    }
                }
            }
        }
    }
}
$Extensions | Format-Table -AutoSize

3. KQL for Network Traffic (Solana RPC Connections)

While blockchain traffic is legitimate, a surge of connections to known Solana RPC endpoints from non-developer workstations can be suspicious.

Script / Code
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteUrl has "solana" or RemotePort in (8899, 8900, 9900) // Common Solana RPC/TCP ports
| where InitiatingProcessFileName !in ~("solana-cli.exe", "node.exe") // Adjust based on your dev tools
| summarize Count() by DeviceName, RemoteUrl, InitiatingProcessFileName
| where Count > 10

Remediation

To protect your organization from the GlassWorm campaign and similar browser-based threats, implement the following defensive measures immediately:

  1. Enforce Browser Extension Policies:

    • Implement a strict Allowlist policy for browser extensions via Group Policy or cloud management platforms (e.g., Google Admin Console). Block the installation of all extensions except those explicitly verified and required for business operations.

  2. Block Unnecessary Blockchain Traffic:

    • If your organization does not utilize Solana or other blockchain technologies for development, configure firewalls and proxies to block access to known public RPC nodes (e.g., api.mainnet-beta.solana.com). This cuts off the "dead drop" communication channel.

  3. Session Hygiene and Revocation:

    • If a compromise is suspected, immediately force a logoff of affected users to invalidate session tokens.
    • Instruct users to change passwords and revoke browser sessions for critical applications (email, banking, code repositories) from their security settings pages.

  4. User Education and Awareness:

    • Alert users to the risks of installing "offline" versions of popular tools. Legitimate Google Docs offline functionality is built into the browser and does not require a separate extension installation from a third-party source.

  5. Endpoint Isolation and Scanning:

    • Isolate affected machines identified during hunting. Perform a full antimalware scan and specifically inspect the \Extensions\ folder within the Chrome user profile for unknown directories.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwareforensicsmalwarebrowser-securitysolanachrome-extensionsthreat-hunting

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action
Defending Against GlassWorm: Mitigating Solana Dead Drops and Chrome Extension RATs | Security Arsenal | Security Arsenal