Back to Intelligence

GoSerpent APT & GlassWASM Supply Chain: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
July 17, 2026
6 min read

Recent OTX pulses indicate a surge in sophisticated, multi-vector campaigns targeting government, technology, and cryptocurrency sectors. Three distinct threats have been identified: GoSerpent (associated with the TetrisPhantom adversary), a Go-based RAT targeting diplomatic entities in Southeast Asia; GlassWASM, a novel supply chain attack leveraging trojanized VS Code extensions and Solana blockchain memos for C2; and OkoBot, a modular framework targeting crypto wallets via PowerShell and SSH botnets. Collectively, these campaigns highlight a shift toward encrypted, proxy-aware C2 channels and the abuse of developer tools/infrastructure for initial access.

Threat Actor / Malware Profile

1. TetrisPhantom (GoSerpent)

  • Distribution: Spear-phishing targeting government and diplomatic entities in Southeast Asia.
  • Payload Behavior: A Go-based Remote Access Trojan (RAT) providing proxy capabilities. It deploys a suite of post-exploitation tools including Mimikatz, QuarksDumpLocalHash, and Stowaway for lateral movement and credential theft.
  • C2 Communication: Uses AES-CBC and ChaCha20 encryption for command arguments and C2 traffic to evade detection.
  • Persistence: Established via system services or scheduled tasks (specifics vary by campaign variant).

2. GlassWorm (GlassWASM)

  • Distribution: Supply chain compromise via the Open VSX marketplace. Malicious Visual Studio Code extensions are trojanized to include WebAssembly (WASM) payloads.
  • Payload Behavior: Uses TinyGo-compiled WebAssembly modules. The malware polls the Solana blockchain for command-and-control instructions embedded in transaction memos—a "dead-drop" technique that eliminates hard-coded C2 infrastructure.
  • C2 Communication: Decrypted instructions from Solana memos (ChaCha20 encrypted). This allows infrastructure rotation without changing the malware binary.

3. OkoBot Framework

  • Distribution: "ClickFix" attacks and fake software repositories (GitHub) delivering TookPS PowerShell scripts.
  • Payload Behavior: A modular framework deploying TeviRAT, Rilide (browser extension injector), and SeedHunter. An automated SSH bot creates tunnels for traffic relay.
  • Objective: Theft of cryptocurrency credentials and assets.

IOC Analysis

  • File Hashes: A significant volume of MD5 hashes are present for GoSerpent (Go binaries), GlassWASM (extension files), and OkoBot (PowerShell/DLLs). SOC teams should immediately enrich these in EDR solutions.
  • Domains: OkoBot relies on specific domains (e.g., coffeesaloon.online, livewallpapers.online) for C2 or payload staging. These should be blocked at the DNS layer.
  • Tooling Decoding: While GlassWASM uses the Solana blockchain, analysts will need a Solana RPC node and the specific wallet address/ChaCha20 key to decode the memos. GoSerpent traffic requires decryption keys (AES-CBC/ChaCha20) found in the malware configuration.

Detection Engineering

Sigma Rules

YAML
title: Suspicious VS Code Extension Spawning Shell
id: 8c7b9a2d-1e3f-4b5c-9d6e-7f8a9b0c1d2e
description: Detects Visual Studio Code spawning a shell process, indicative of trojanized extensions like GlassWASM executing code.
status: experimental
date: 2026/07/17
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\Code.exe'
            - '\code.exe'
        Image|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
    condition: selection
falsepositives:
    - Legitimate developer debugging scripts
level: high
tags:
    - attack.execution
    - attack.t1059.001
---
title: PowerShell Spawning SSH Tunnel (OkoBot)
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
description: Detects PowerShell scripts spawning SSH processes, a behavior associated with the OkoBot framework deploying SSH bots.
status: experimental
date: 2026/07/17
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
        Image|endswith:
            - '\ssh.exe'
    condition: selection
falsepositives:
    - Administrative tasks via PowerShell remoting
level: medium
tags:
    - attack.execution
    - attack.command_and_control
    - attack.t1072
---
title: Credential Dumping Tool Execution (GoSerpent)
id: 9f8e7d6c-5b4a-3e2d-1c0b-9a8f7e6d5c4b
description: Detects the execution of known credential dumping tools used by TetrisPhantom/GoSerpent like QuarksDumpLocalHash or Mimikatz.
status: experimental
date: 2026/07/17
author: Security Arsenal
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|contains:
            - 'mimikatz'
            - 'QuarksPwDump'
            - 'QuarksDumpLocalHash'
    condition: selection
falsepositives:
    - Rare administrative credential recovery
level: critical
tags:
    - attack.credential_access
    - attack.t1003.001

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for OkoBot C2 Domains
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in ("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for GoSerpent related processes (Go binaries often lack signed metadata)
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in ("powershell.exe", "cmd.exe", "winword.exe")
| where FileName endswith ".exe" 
| where InitiatingProcessCommandLine matches regex @"proxy|socks|stowaway"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for GlassWASM (VS Code making network connections to blockchain APIs)
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "Code.exe"
| where RemoteUrl contains "solana" or RemoteUrl contains "rpc"
| project Timestamp, DeviceName, RemoteUrl, RequestUrl

PowerShell Hunt Script

PowerShell
# IOC Hunt Script for GoSerpent, GlassWASM, and OkoBot

Write-Host "Starting Threat Hunt..." -ForegroundColor Cyan

# 1. Check for OkoBot File Hashes
$OkobotHashes = @(
    "b07d451ee65a1580f20a784c8f0e7a46",
    "187a1f68ae786e53d3831166dc84e6d2",
    "d84e8dc509308523e0209d3cd3544619",
    "83e6b8fcb92a0b13e109301f8ff649cf"
)

# 2. Check for GoSerpent Hashes
$GoSerpentHashes = @(
    "ebffd5a76aaa690bcdb922f82e0bacc5",
    "dc506ff7bb72735444fb3703a6bee6d8",
    "d6e86bf8a90e9b632add5fa495f97fbc"
)

# 3. Check for GlassWASM Hashes
$GlassWasmHashes = @(
    "4e143876eeaf5e767a9971f603b0f13c",
    "b262b8d2ac2f0ab3c78251db44ecf3ac"
)

$AllHashes = $OkobotHashes + $GoSerpentHashes + $GlassWasmHashes

$Drives = Get-PSDrive -PSProvider FileSystem

foreach ($Drive in $Drives) {
    Write-Host "Scanning drive $($Drive.Root)..." -ForegroundColor Yellow
    try {
        Get-ChildItem -Path $Drive.Root -Recurse -ErrorAction SilentlyContinue | 
        Get-FileHash -Algorithm MD5 -ErrorAction SilentlyContinue | 
        Where-Object { $AllHashes -contains $_.Hash } | 
        Select-Object Path, Hash | 
        Format-Table -AutoSize
    } catch {
        # Ignore access errors
    }
}

# Check Hosts File for OkoBot Domains
$HostsPath = "$env:SystemRoot\System32\drivers\etc\hosts"
$OkoBotDomains = @("coffeesaloon.online", "livewallpapers.online", "2baserec2.guru", "kbeautyreviews.com")

if (Test-Path $HostsPath) {
    $HostsContent = Get-Content $HostsPath
    foreach ($Domain in $OkoBotDomains) {
        if ($HostsContent -match $Domain) {
            Write-Host "ALERT: Found OkoBot domain in hosts file: $Domain" -ForegroundColor Red
        }
    }
}

# Check for Suspicious VS Code Extensions (GlassWASM vector)
$VSCodeExtensionsPath = "$env:USERPROFILE\.vscode\extensions"
if (Test-Path $VSCodeExtensionsPath) {
    Write-Host "Checking recently modified VS Code extensions..." -ForegroundColor Yellow
    Get-ChildItem -Path $VSCodeExtensionsPath -Directory | 
    Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-30) } | 
    Select-Object Name, LastWriteTime
}

Write-Host "Hunt Complete." -ForegroundColor Green

Response Priorities

  • Immediate: Block all listed OkoBot domains at the perimeter and DNS sinks. Quarantine endpoints matching the provided MD5 hashes. Restrict installation of VS Code extensions from the Open VSX marketplace to pre-approved publishers.
  • 24h: Conduct a credential audit for accounts with access to diplomatic or source code repositories, as GoSerpent and OkoBot actively steal credentials. Hunt for PowerShell logs containing ClickFix patterns (Copy-Item/Clip.exe).
  • 1 Week: Harden the build pipeline and developer environment. Implement application control (AppLocker) to prevent unsigned Go binaries and unauthorized PowerShell scripts from executing in user directories. Review all VS Code installed extensions for code integrity.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-aptgoserpentglasswasmokobotapt-techniquessupply-chain

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.