Cybersecurity experts have unveiled a sophisticated botnet loader, known as Aeternum C2, which employs blockchain technology to fortify its command-and-control (C2) infrastructure against traditional takedown strategies. According to a report from Qrator Labs shared with The Hacker News, Aeternum diverges from conventional methods by embedding its commands within the public Polygon blockchain.
Innovative Use of Blockchain
The Aeternum botnet distinguishes itself by storing C2 instructions on the Polygon blockchain, a platform widely utilized by decentralized applications, including Polymarket, a major prediction market. This method renders its C2 infrastructure virtually indestructible by conventional takedown efforts.
This is not the first instance of a botnet integrating blockchain. Back in 2021, Google intervened against the Glupteba botnet, which used the Bitcoin blockchain as a backup mechanism to maintain its C2 server addresses.
Technical Details and Functionality
First discovered in December 2025, Aeternum C2’s details emerged when Outpost24’s KrakenLabs identified a threat actor named LenAI marketing the malware on underground forums. The malware, available in C++ for both x32 and x64 systems, operates by embedding commands in smart contracts on the Polygon blockchain. These instructions are then retrieved by bots querying public RPC endpoints.
The system is managed through a web-based panel, allowing users to select smart contracts, define command types, and update payload URLs. Commands are recorded as blockchain transactions, accessible to all compromised devices monitoring the network.
Resilience and Market Impact
The permanence of blockchain transactions means that once a command is issued, it cannot be modified or deleted by anyone other than the wallet owner. This allows operators to manage multiple smart contracts simultaneously, each potentially serving different functions such as clippers, stealers, RATs, or miners.
In addition to its blockchain-based resilience, Aeternum includes anti-analysis features to prolong infections. Techniques include detecting virtualized environments and offering customers the ability to scan their builds via Kleenscan, ensuring they bypass antivirus detection.
Operational costs for this botnet are minimal, with a mere $1 worth of MATIC, Polygon’s native cryptocurrency, covering up to 150 transactions. This eliminates the need for server rentals or domain registrations, requiring only a crypto wallet and a local panel copy.
Broader Implications and Related Threats
The creator, LenAI, has attempted to sell the entire toolkit for $10,000, citing time constraints and involvement in other projects as reasons. A second crimeware solution by LenAI, ErrTraffic, automates ClickFix attacks, exploiting website glitches to deceive users.
Meanwhile, Infrawatch has disclosed another underground service deploying dedicated hardware into U.S. homes, integrating them into a proxy network named DSLRoot. This service, under the alias GlobalSolutions, offers residential ADSL proxies for sale, with operations spanning over 20 U.S. states.
This extensive network employs custom software to remotely manage consumer modems and Android devices, facilitating anonymous traffic routing through U.S. IP addresses. The operator, identified as Belarusian national Andrei Holas, promotes this service on BlackHatWorld.
