A newly discovered botnet loader is now moving its command-and-control (C2) operations onto the Polygon blockchain. This shift removes the central servers that law enforcement and security firms have traditionally targeted to dismantle malicious networks.
Identified by Qrator Research Lab during their monitoring of cybercrime forums, Aeternum C2 uses smart contracts hosted on the Polygon blockchain, replacing the standard infrastructure. Infected machines no longer communicate using hardcoded IP addresses or registered domains; instead, they retrieve instructions directly from the blockchain, where all transactions are publicly recorded and immutable.
In the past, law enforcement agencies have successfully disrupted operations of various malware such as Emotet, TrickBot, and QakBot by seizing servers or suspending domains. Aeternum appears to eliminate these vulnerabilities completely.
Utilizing Smart Contracts for Control
Based on the seller's documentation and panel screenshots that Qrator reviewed, Aeternum is a native C++ loader available in both x32 and x64 versions.
Operators can manage infections through a web dashboard, where they select a smart contract, determine a command type, and specify a payload URL. After submission, the instruction is recorded on the blockchain as a transaction, making it accessible to bots querying over 50 remote procedure call endpoints.
The seller claims that new commands reach active bots in as little as two to three minutes.
Operators have the capability to run multiple smart contracts simultaneously, each associated with different payloads or functions, which may include:
-
Clipper modules
-
Information-stealing DLLs
-
PowerShell or batch scripts
-
Remote access tools and cryptocurrency miners
With blockchain data replicated across thousands of nodes, there is no central infrastructure for authorities to seize. Only the wallet holder can issue or modify commands linked to a specific contract.
Challenges in Disruption Efforts
Traditional takedown strategies depend on identifiable infrastructure. For example, domains can be suspended, hosting providers can null-route IP addresses, and physical servers can be confiscated. Even peer-to-peer (P2P) botnets have been weakened by targeting bootstrap nodes.
The shift to blockchain-based control complicates these efforts significantly. Commands stored on the blockchain are essentially permanent and globally accessible.
This difference is evident when comparing it to the 2021 disruption of the Glupteba botnet, which Google reported reduced infections by 78%. Glupteba utilized the Bitcoin blockchain as a backup channel, allowing it to recover months later. In contrast, Aeternum appears to depend on blockchain as its primary communication layer.
Additionally, operational costs for Aeternum are notably low. The seller promotes lifetime licenses or the complete C++ source code, stating that just $1 in MATIC can facilitate 100 to 150 command transactions. There is no need for domains, rented servers, or hosting providers.
Qrator emphasized that "traditional upstream takedowns become harder when the C2 channel is immutable. Even if every infected machine is remediated, the operator can redeploy using the same contracts without rebuilding anything."
They concluded by stating, "This makes proactive DDoS mitigation more essential than ever. If the botnet cannot be taken down at the source, the only remaining defense is to filter its traffic at the edge."
