Training & Educational Use Only
This tool demonstrates Glassworm detection concepts for educational purposes. Do not use it to scan production codebases containing proprietary source code, trade secrets, or CUI. For regulated environments, deploy the zeek_triage.py script locally where code never leaves your system.
CMMC / Source Code Notice
Do not upload source files from DoD contractor codebases, proprietary systems, or any environment subject to CMMC, ITAR, or EAR controls. Use only with publicly available or synthetic test files.
Detects
Glassworm PUA codepoints U+FE00–U+FE0F
Variation Selectors Supplement U+E0100–U+E01EF
Zero-width characters U+200B–U+200F
Soft hyphen and invisible BOM characters
File Types Supported
.js .ts .jsx .tsx .py .rb .php
.java .cs .go .rs .cpp .c .sh
.json .yaml .toml .env .html
Any plain text file (select manually)
Drop source code files here
Multiple files supported · Click to browse · Training files only
Scan Output
Drop source code files above and click Scan to detect invisible Unicode payloads…
Upload a plain-text export of your DNS query log, HTTP access log, or network connection log. The detector scans for connections to blockchain RPC nodes, cryptocurrency exchanges, IPFS infrastructure, and Web3 endpoints that indicate Glassworm or similar blockchain-C2 malware activity.
Flags
Solana RPC nodes (Glassworm primary C2)
Ethereum / Infura / Alchemy nodes
IPFS gateways used for payload hosting
Crypto exchange contacts from workstations
Accepts
Plain text DNS query logs (.txt .log)
HTTP access log exports
Zeek http.log / ssl.log / dns.log exports
Any newline-delimited domain list
Drop a network log file here
DNS log · HTTP log · Connection log · Training data only
Scan Output
Drop a network log file above and click Scan to detect blockchain C2 connections…
How Unicode Injection Works
Invisible Characters Carry the Payload
Glassworm uses Unicode Private Use Area codepoints that render as zero-width whitespace in every editor and terminal. An entire executable payload hides inside what looks like an empty string. At runtime a decoder extracts and executes it.
How Blockchain C2 Works
Commands Come from the Blockchain
Instead of connecting to a traditional C2 server, Glassworm reads commands from Solana blockchain transactions. There is no IP to block — the traffic looks like HTTPS to a legitimate financial service. Blocking crypto domains severs the channel entirely.
Why Human Review Fails
You Cannot See What Isn't There
An experienced senior developer reviewing a pull request containing a Glassworm payload will approve it. The code looks identical to legitimate code. Automated scanning that checks codepoint values — not visual rendering — is the only reliable detection method.
Unicode Ranges This Tool Checks
| Range | Name | Legitimate Use | Threat |
|---|---|---|---|
| U+FE00–U+FE0F | Variation Selectors 1–16 | None in source code | Primary Glassworm payload range |
| U+E0100–U+E01EF | Variation Selectors Supplement | None in source code | Secondary Glassworm range |
| U+200B–U+200F | Zero-Width Characters | Rare — text layout only | Text steganography, prompt injection |
| U+FEFF | Zero-Width No-Break Space | BOM at file start only | Payload injection when mid-file |
| U+00AD | Soft Hyphen | Typographic line-breaking | Invisible character injection |
For production environments: This browser tool is for learning and demonstration. To scan your actual codebase, download zeek_triage.py and run it locally with python3 zeek_triage.py --scan-code /path/to/your/code. Your source code never leaves your machine. For CI/CD integration, add the Unicode scanner as a pre-commit hook so every commit is checked automatically before merging.