An internal artifact-scanning pipeline built around THOR Thunderstorm discovered a malicious VS Code extension “Icon Theme: Material” (publisher IconKiefApp) that contained two Rust implants (Mach-O and PE) hidden inside the 5.29.1 release. The team reported the extension to Microsoft, published a follow-up technical analysis describing Windows/macOS behavior and Solana- and Google Calendar–based C2 mechanisms, and provided IOCs and YARA detections for remediation. #GlassWorm #VisualStudioMarketplace
Keypoints
- The team runs a high-scale artifact-scanning pipeline ingesting Docker Hub, PyPI, NPM, Chrome extensions, and VS Code extensions using THOR Thunderstorm for signature-based detection.
- A fraudulent VS Code extension named “Icon Theme: Material” (publisher IconKiefApp) imitating the legitimate PKief.material-icon-theme reached over 16,000 installs before detection.
- The malicious 5.29.1 release (published 28 November 2025) contained two Rust implants: a Mach-O and a Windows PE placed under icon-theme-materiall.5.29.1/extension/dist/extension/desktop/.
- Binaries show string/artifact overlap with previously reported GlassWorm samples; YARA rules SUSP_Implant_Indicators_Jul24_1 and SUSP_HKTL_Gen_Pattern_Feb25_2 triggered on the samples.
- The implants’ C2 uses a Solana-based wallet for encrypted payload delivery with fallback channels including a hidden Google Calendar–based mechanism, detailed in a follow-up technical analysis.
- The malicious extension was reported to Microsoft and is expected to be removed; further unpacking and mapping against GlassWorm activity are ongoing.
MITRE Techniques
- [T1195 ] Supply Chain Compromise – Malicious code was distributed via a trojanized VS Code extension that impersonated a legitimate extension (‘It mimics the legitimate and extremely popular Material Icon Theme extension by Philipp Kief. Same name pattern, same visuals, but not the same author.’)
- [T1027 ] Obfuscated Files or Information – Detection targeted obfuscated/encoded content and scripts to find hidden payloads (‘…built to flag obfuscated JavaScript, encoded payloads, suspicious command stubs, reverse shells…’)
- [T1059 ] Command and Scripting Interpreter – The analysis and detection targeted stagers and reverse-shell capabilities embedded in artifacts (‘…stagers, reverse shells…’)
- [T1105 ] Ingress Tool Transfer – Attackers delivered Rust implant binaries inside the extension package (‘Inside the package we found two Rust implants: one Mach-O, one Windows PE.’)
- [T1204 ] User Execution – The attack relied on users installing the malicious extension from the Marketplace (high install count facilitated execution) (‘The fake extension had more than 16,000 installs already.’)
- [T1071 ] Application Layer Protocol – Implants use application-layer channels for command-and-control, including Solana-based wallet mechanisms (‘command-and-control mechanism via a Solana-based wallet’)
- [T1102 ] Web Service – The implants implement fallback communication using a hidden Google Calendar–based channel (‘fallback techniques including a hidden Google Calendar-based channel.’)
Indicators of Compromise
- [URL ] Malicious and legitimate VS Code extension pages – https://marketplace.visualstudio.com/items?itemName=Iconkieftwo.icon-theme-materiall (malicious), https://marketplace.visualstudio.com/items?itemName=PKief.material-icon-theme (legitimate)
- [File Hash ] Archive and implant hashes – 0878f3c59755ffaf0b639c1b2f6e8fed552724a50eb2878c3ba21cf8eb4e2ab6 (icon-theme-materiall.5.29.1.zip), 6ebeb188f3cc3b647c4460c0b8e41b75d057747c662f4cd7912d77deaccfd2f2 (os.node PE), and 1 more hash
- [File Path / Name ] Malicious package paths and binary paths – icon-theme-materiall.5.29.1/extension/dist/extension/desktop/, Mach-O path ‘/Users/davidioasd/Downloads/rust_implant/…’
- [YARA ] Rules that flagged the samples – SUSP_Implant_Indicators_Jul24_1, SUSP_HKTL_Gen_Pattern_Feb25_2
- [VT Sample / Reference ] Related VirusTotal sample used for comparison – https://www.virustotal.com/gui/file/eafeccc6925130db1ebc5150b8922bf3371ab94dbbc2d600d9cf7cd6849b056e