{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/glassworm/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["glassworm","malware","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe GlassWorm campaign has been identified deploying a Wave 3 Windows payload. This indicates a continuation of the threat actor\u0026rsquo;s operations, with an updated payload targeting Windows systems. The specifics of the delivery mechanism and the exact functionality of the Wave 3 payload are currently unknown. Defenders should be aware of the ongoing GlassWorm activity and implement detections for suspicious Windows executables. Further analysis is required to fully understand the capabilities of the Wave 3 payload and the scope of the campaign.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The initial access vector is unknown.\u003c/li\u003e\n\u003cli\u003ePayload Delivery: A Wave 3 Windows payload is delivered to the system.\u003c/li\u003e\n\u003cli\u003eExecution: The Windows payload is executed.\u003c/li\u003e\n\u003cli\u003ePersistence: The payload establishes persistence on the system.\u003c/li\u003e\n\u003cli\u003eCommand and Control: The payload connects to a command and control server for instructions.\u003c/li\u003e\n\u003cli\u003eData Collection: The payload gathers sensitive data from the system.\u003c/li\u003e\n\u003cli\u003eExfiltration: The collected data is exfiltrated to the attacker.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful deployment of the GlassWorm Wave 3 payload could lead to data theft, system compromise, and potential financial loss. The impact depends on the specific objectives of the threat actor and the sensitivity of the data compromised. The lack of specific information about victimology makes determining the overall scope impossible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creation events for unknown or unsigned executables, especially those with network connections (reference: process_creation and network_connection log sources).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts related to the execution of potentially malicious Windows executables.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-16T15:00:22Z","date_published":"2026-03-16T15:00:22Z","id":"/briefs/2024-01-glassworm-wave3/","summary":"The GlassWorm campaign has been observed deploying a Wave 3 Windows payload, indicating ongoing malicious activity targeting Windows systems.","title":"GlassWorm Campaign Deploying Wave 3 Windows Payload","url":"https://feed.craftedsignal.io/briefs/2024-01-glassworm-wave3/"}],"language":"en","title":"CraftedSignal Threat Feed — Glassworm","version":"https://jsonfeed.org/version/1.1"}