Who / what is “Glowworm”
The term “Glowworm” has been used in two quite different contexts in cybersecurity reporting, which must be distinguished:
A side‑channel attack technique known as “Glowworm” that enables eavesdropping via LED or optical emissions from devices (e.g., power‑indicator LEDs) by converting light fluctuations back into audio. Avast Blog+1
A Chinese‑aligned advanced persistent threat (APT) actor (or cluster) sometimes referenced under names like FamousSparrow, Earth Estries, Salt Typhoon, which is known to use backdoors such as Zingdoor, and has been associated with the “Glowworm” moniker in some reports. For the purpose of this article I’ll focus on the actor / threat‑group use of the name “Glowworm” (i.e., the espionage actor), because that aligns with “Indicators of Compromise” which are relevant for cyber‑defence.
Attribution & Motivation
The actor often referred to as “Glowworm” appears to be China‐aligned, part of the broader landscape of Chinese APT activity targeting governments, telecoms, infrastructure, and strategic industry. The group is believed to operate at least since 2020, and has been tracked under multiple names (FamousSparrow, Earth Estries, Salt Typhoon) with overlapping tool‑sets and techniques. Trend Micro+2JSAC2026 – Tokyo, January 21-23, 2026+2
Its motivation is largely cyber espionage: gaining long‑term access, data exfiltration, credential harvesting, and in some cases prepping infrastructure for further compromise.
Tactics, Techniques and Procedures (TTPs)
Here are a summary of key TTPs associated with the group:
Initial access: They exploit public‑facing servers or remote management tools (e.g., Microsoft Exchange vulnerabilities, Fortinet, Sophos etc.). Trend Micro+2The Hacker News+2
Delivery & loader: Use of DLL sideloading, CAB files, malicious loaders, and legitimate signed binaries to evade detection. Trend Micro+1
Backdoors & payloads: Use of backdoors such as Zingdoor, SnappyBee/Deed RAT, CrowDoor, SparrowDoor, ShadowPad etc. Trend Micro+1
Lateral movement / persistence: Use of living‑off‑the‑land binaries (LOLBINs) like PsExec/WMI, scheduled tasks, remote services, credentials dumping. Trend Micro+1
Collection & exfiltration: Archive tools (RAR, etc), use of anonymised file sharing, C2 over HTTP(s)/TLS, regular updating of implants. Trend Micro+1
Victimology: Targets include telecoms, government agencies, infrastructure, consulting firms, vendors, across many countries (US, Asia‑Pacific, Middle East, Africa). Industrial Cyber+1
Why it matters
Because the group targets high‑value networks, often with stealthy tools and protracted intrusion chains, it represents a significant threat for organisations in critical sectors (telecoms, government, infrastructure). The shared tool‑sets across Chinese APT groups means that detection of one component may help detect others.
Known exploitation methods
Vulnerability,Type,Description
CVE‑2021‑26855,Exchange RCE,Initial access
CVE‑2021‑26857,Exchange RCE,Initial access
CVE‑2021‑26858,Exchange RCE,Initial access
CVE‑2021‑27065,Exchange RCE,Initial access
CVE‑2022‑3236,Sophos Firewall RCE,Initial access
CVE‑2023‑46805,Ivanti Connect Secure RCE,Initial access
CVE‑2024‑21887,Ivanti Connect Secure RCE,Initial access
CVE-2025-53770
