Solana memo feature exploited to run hidden malware

Hackers are moving away from normal servers and using decentralized systems to attack developers and steal their crypto funds. They are are replacing traditional command-and-control (C2) servers entirely with decentralized options.

In this attack, the malware abuses the Solana blockchain. It uses the memo field of Solana transactions to run stealth malware that steals crypto wallet data, and even hardware wallet recovery phrases.

The memo field was originally designed for simple transaction notes, but attackers are now using it as a hidden communication layer. This turns a public blockchain feature into a covert channel for malware control.

Decentralized memos like Solana’s are public and permanent and they cannot be taken down by any single party. In addition, attackers can update instructions without changing malware.

The campaign is considered a new version of the GlassWorm malware, which has been active since at least 2022.

Solana memos act as a dead drop resolver

According to security researchers from Aikido, the attack has three stages or three payloads. The first stage/payload is just an entry point. It begins when a developer installs a malicious package from open source repositories like npm, PyPI, GitHub, or the Open VSX marketplaces.

The malware then checks if the system locale is Russian and if so, it does not proceed with the attack. This is because the attackers are likely based in Russia and do not want to get caught by authorities. Once installed, the malware uses the Solana blockchain to fetch the attacker’s command-and-control (C2) server IP address. It looks for a specific transaction on Solana that contains the C2 server’s IP address in the memo field.

The malware then connects to the C2 server and starts the second stage of the attack. In this stage, the malware looks for crypto data like seed phrases, private keys, and even screenshots of wallets. It targets browser extension wallets like MetaMask, Phantom, Coinbase, Exodus, Binance, Ronin, Keplr, and more.

The malware also looks for browser data like login sessions, session tokens, and cloud access. This means it can access centralized exchange accounts, npm, GitHub, and AWS accounts.

After collecting the data, the malware compresses it into a ZIP file, and sends it to the attacker’s server.

Hardware wallets targeted via phishing

The last payload splits into two parts. The first part is a .NET binary that looks for hardware wallets like Ledger and Trezor. If it finds one, it shows a fake error message that tricks the user into entering their recovery phrase.

The second part is a WebSocket-based JavaScript RAT (remote access trojan) that steals browser data. It also installs a fake Chrome extension that monitors specific sites like exchanges and steals cookies in real time. It’s downloaded through a Google Calendar event as a dead drop resolver. This approach allows the attacker to hide the real server, bypass security filters and it acts as an indirect delivery layer.

Unlike the second stage, where the malware only steals browser data, this RAT has live control. It stays active and monitors the browser. It captures new cookies, tracks active sessions like logged-in exchange accounts, logs keystrokes, and takes screenshots. Moreover, it allows the attacker to run commands on the victim’s machine.

Its difficult to remove GlassWorm. The malware can re-download itself and it can survive reboots. It also uses fallback methods like DHT (Distributed Hash Table) lookups and Solana memos to find the control server.

Since there’s no central server, and the data is shared across many computers, it becomes difficult for defenders to block the attack at the network level.