Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: botnet-takedown (2 articles)Clear

Dutch police dismantle 17-million-device botnet linked to Asocks proxy service, seize 200+ servers at local hosting provider

Dutch authorities have taken offline a botnet of at least 17 million infected computers, tablets, and smartphones, seizing more than 200 servers at a Netherlands-based hosting provider. The action was led by the National Police with the National Cyber Security Centre (NCSC). Local media link the infrastructure to Asocks, a service that advertises itself as a universal residential-proxy provider - the kind of proxy network used to launder malicious traffic, run credential-stuffing and ad fraud, and anonymize attacks. The hosting provider took the botnet offline once it was confirmed to be supporting criminal activity. Authorities have not formally named the botnet or announced arrests.

Check
Check whether your network egress or fraud logs show traffic to or from Asocks residential-proxy exit nodes. Review IoT and endpoint fleets for proxyware infections feeding such services.
Affected
17 million compromised devices (computers, tablets, smartphones) conscripted into the proxy botnet. Organizations targeted via proxied credential-stuffing, ad fraud, and anonymized attacks routed through residential IPs.
Fix
Block known Asocks infrastructure once IoCs are published. Hunt for proxyware and residential-proxy SDKs on managed devices. Add residential-proxy ASNs to fraud-scoring and bot-detection rules.

CrowdStrike, Google, Shadowserver disrupt GlassWorm botnet by cutting four resilient C2 channels - Solana memos, BitTorrent DHT, Google Calendar, direct VPS

CrowdStrike, Google, and The Shadowserver Foundation have disrupted the GlassWorm developer-supply-chain botnet by simultaneously cutting four resilient command-and-control channels. Active since October 2025, GlassWorm spread through malicious OpenVSX and VS Code extensions, GitHub repos, and npm packages (one March campaign hit 400+ artifacts), stealing crypto wallets and developer credentials. Its C2 was built to resist takedown: server addresses encoded in Solana transaction memo fields, configuration stored in the BitTorrent DHT, Base64 C2 paths hidden in Google Calendar event titles, and direct VPS connections for payload delivery. All four had to fall at once. Infected hosts now beacon to CrowdStrike's sinkhole at 164.92.88[.]210.

Check
Run CrowdStrike's published YARA rules across developer workstations and build servers. Search network logs for beacons to 164.92.88[.]210 (CrowdStrike sinkhole) indicating prior GlassWorm infection.
Affected
Developers who installed malicious OpenVSX or VS Code extensions, or pulled compromised GitHub repos and npm packages since October 2025. 400+ artifacts hit in the March campaign alone.
Fix
Remediate any host beaconing to the sinkhole. Audit installed OpenVSX/VS Code extensions against known-bad lists. Rotate crypto wallets and developer credentials exposed on infected machines.