Integrated Infection: Glassworm Campaign Evolves with "ZigDropper" to Target Developer Environments

A persistent threat cluster known as Glassworm has significantly upgraded its arsenal, deploying a specialized "ZigDropper" to compromise software developers by infecting the very IDEs used to build modern applications.

AMSTERDAM, NL — Security researchers have uncovered a major evolution in the tactics of the Glassworm threat campaign. Previously known for standard phishing and credential harvesting, the group has transitioned into high-stakes supply chain infiltration by utilizing a new, multi-stage malware delivery mechanism dubbed ZigDropper.

The campaign is uniquely dangerous because it does not target end-users; instead, it targets the "creators" of software. By leveraging the Zig programming language to build its initial stagers, Glassworm has successfully avoided detection from many signature-based antivirus solutions that are not yet tuned to monitor Zig-compiled binaries.

The ZigDropper Mechanism

The attack typically begins with the distribution of malicious packages or "helper" scripts on popular developer repositories. Once a developer executes the initial payload, ZigDropper initiates a deep-system audit to locate every Integrated Development Environment (IDE) installed on the host.

According to technical analysis from Aikido, ZigDropper is capable of identifying and "side-loading" malicious plugins or modifying configuration files for:

• VS Code (specifically targeting the .vscode/extensions folder)
• IntelliJ IDEA
• PyCharm
• Sublime Text

By embedding itself within the IDE's ecosystem, the malware can observe keystrokes, exfiltrate environment variables (including AWS keys and GitHub tokens), and even inject malicious code snippets into the developer's active projects — potentially poisoning the downstream software supply chain.

Cross-Platform Resilience

One of the most notable features of ZigDropper is its cross-platform capability. The Zig language allows the attackers to compile highly efficient binaries for Windows, macOS, and Linux from a single codebase.

Researchers noted that the malware uses a "Living off the Land" technique to maintain persistence. It creates hidden background processes that mimic legitimate language servers (such as rust-analyzer or gopls), making it difficult for developers to distinguish the malicious activity from standard, resource-heavy IDE operations.

The Exfiltration Path

Once persistence is established, Glassworm focuses on high-value asset exfiltration. The group has been observed specifically hunting for:

• Hardcoded Credentials: Scanning local repositories for forgotten .env files.
• SSH Keys: Harvesting ~/.ssh directories to gain lateral movement into production servers.
• Source Code: Compressing and exfiltrating proprietary algorithms or unreleased product features.

The CyberSignal Analysis

Signal 01 — The "Workstation as an Infrastructure" Pivot

Historically, we protected servers. Then we protected end-user laptops. Now, the developer workstation is being treated as critical infrastructure. ZigDropper proves that an engineer's IDE is as much a target as a production database. For Security Operations, this means endpoint protection (EDR) must be configured to specifically monitor IDE processes for anomalous behavior.

Signal 02 — The Rise of Modern Language Malware

The use of Zig is a clever strategic choice. It provides the speed of C with modern safety features, and its lack of widespread use in malware development makes its binaries a "blind spot" for many legacy security tools. This highlights a growing trend: threat actors are abandoning Python and C++ for Rust, Go, and Zig to stay one step ahead of detection engines.

Sources