Suspicious Blockchain Payload
ID |
suspicious_blockchain_payload |
Severity |
critical |
Resource |
Network |
Tags |
blockchain_c2, dropper |
Description
This detector aims to detect suspicious payloads extracted from blockchain transactions that are lately used to recover other payloads or to execute malicious code.
Rationale
Suspicious payloads may involve malicious code or URLs to connect to, so the worm can continue with the infection in the following stages.
Related Malware campaigns
GlassWorm detected in October 2025 involved a self-propagating worm that utilized invisible code techniques to spread, targeting extensions for Visual Studio Code.
+ This worm exploited blockchain technology to conceal its communication channels and payloads, making detection more difficult. By leveraging blockchain’s decentralized nature, it was able to obfuscate its activities, complicating efforts to trace and mitigate the attack.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. Available values are:-
blockchain_payload
-
-
sinks, that indicates the sink to check. Available values are:-
command_injection
-
code_injection
-
insecure_transport
-
-
neutralizations, that indicates the neutralization kinds to check. By default, this is empty. No neutralizers are considered for potential malicious code.