Infrastructure — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/tags/infrastructure/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSun, 15 Mar 2026 13:51:21 +0000GlassWorm V2 Infrastructure Rotation and GitHub Injection Analysishttps://feed.craftedsignal.io/briefs/2024-01-26-glassworm-v2-analysis/Sun, 15 Mar 2026 13:51:21 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-26-glassworm-v2-analysis/Analysis of GlassWorm V2 reveals infrastructure rotation and GitHub injection techniques.This threat brief summarizes an analysis of GlassWorm V2, focusing on its infrastructure rotation and GitHub injection techniques. While specific details regarding the threat actor and initial attack vectors are not provided in this analysis, the report highlights the malware’s ability to dynamically change its command and control (C2) infrastructure and potentially leverage GitHub for code injection or storage. Understanding these techniques is crucial for defenders to develop robust detection and mitigation strategies against this evolving threat. The full analysis is available on Codeberg.

Attack Chain

  1. Initial Access: Specific initial access vector is unknown.
  2. GitHub Injection: The malware leverages GitHub to host malicious code or configurations, potentially obfuscating its activities within legitimate traffic.
  3. Infrastructure Rotation: GlassWorm V2 employs techniques to rotate its C2 infrastructure, making it more difficult to track and block.
  4. Communication: The malware establishes communication with its C2 server using the dynamically updated infrastructure.
  5. Command Execution: The C2 server issues commands to the infected host.
  6. Persistence: Unknown persistence mechanism is used.
  7. Data Exfiltration/Lateral Movement/Impact: The ultimate goal is currently unknown.

Impact

The impact of a successful GlassWorm V2 infection could range from data theft and system compromise to disruption of services, depending on the specific objectives of the attacker. The use of infrastructure rotation makes it harder to block attacker infrastructure. The GitHub injection may also lead to supply chain concerns.

Recommendation

  • Monitor network traffic for connections to unusual or newly registered domains, even if they initially appear benign.
  • Implement file integrity monitoring on systems to detect unauthorized modifications to critical system files.
  • Consider using tools that specifically analyze and detect malicious use of GitHub repositories.
]]>mediumadvisorymalwaregithubinfrastructure