A newly identified botnet loader is shifting command-and-control (C2) operations onto the Polygon blockchain, eliminating the central servers that authorities and security firms have historically targeted to dismantle malicious networks.
Aeternum C2, uncovered by Qrator Research Lab while monitoring cybercrime forums, replaces conventional infrastructure with smart contracts hosted on the Polygon blockchain. Instead of communicating with hardcoded IP addresses or registered domains, infected machines retrieve instructions written directly to the blockchain, where transactions are publicly recorded and cannot be removed.
For years, law enforcement agencies have disrupted operations such as Emotet, TrickBot and QakBot by seizing servers or suspending domains. Aeternum appears to remove that weak point entirely.
Using Smart Contracts For Control
According to the seller's documentation and panel screenshots reviewed by Qrator, Aeternum is a native C++ loader offered in x32 and x64 builds.
Operators manage infections via a web dashboard that lets them select a smart contract, choose a command type, and specify a payload URL. Once submitted, the instruction is written to the blockchain as a transaction and becomes accessible to bots querying more than 50 remote procedure call endpoints.
The seller claims new commands reach active bots within two to three minutes.
Operators can run multiple smart contracts simultaneously, each linked to different payloads or functions, including:
-
Clipper modules
-
Information-stealing DLLs
-
PowerShell or batch scripts
-
Remote access tools and cryptocurrency miners
Read more on blockchain-based C2: North Korean Hackers Use EtherHiding to Steal Crypto
Blockchain data is replicated across thousands of nodes, meaning there is no central infrastructure to seize. Only the wallet holder can issue or modify commands tied to a given contract.
How the Model Complicates Disruption Efforts
Traditional takedown strategies rely on identifiable infrastructure. Domains can be suspended. Hosting providers can null-route IP addresses. Physical servers can be confiscated. Even peer-to-peer (P2P) botnets have been weakened by targeting bootstrap nodes.
Blockchain-based control changes that equation. Commands stored on-chain are effectively permanent and globally accessible.
The contrast can be seen in the 2021 disruption of the Glupteba botnet, which Google said reduced infections by 78%. Glupteba used the Bitcoin blockchain as a backup channel, allowing it to recover months later. Aeternum, by comparison, appears to rely on blockchain as its primary communication layer.
Operational costs are also low. The seller advertises lifetime licences or full C++ source code, noting that $1 in MATIC can fund 100-150 command transactions. No domains, rented servers or hosting providers are required.
"Traditional upstream takedowns become harder when the C2 channel is immutable, and even if every infected machine is remediated, the operator can redeploy using the same contracts without rebuilding anything," Qrator wrote.
"This makes proactive DDoS mitigation more important than ever. If the botnet can't be taken down at the source, the only remaining defence is filtering its traffic at the edge."