A new and sophisticated botnet loader, dubbed Aeternum C2, has emerged, fundamentally altering the landscape of cybercrime by leveraging the Polygon blockchain for its command and control (C2) infrastructure. This innovative approach renders traditional takedown methods, such as seizing servers and domains, ineffective against this resilient threat. Researchers from Qrator Labs identified Aeternum C2, a tool designed to cloak botnet operations within the decentralized and immutable nature of blockchain technology.
Previously, law enforcement agencies successfully dismantled major botnets like Emotet, TrickBot, and QakBot by targeting their centralized command servers. However, Aeternum C2 operates on a different paradigm. Instead of relying on easily discoverable servers or domains, it stores all operational instructions within smart contracts on the Polygon blockchain. This distributed ledger technology ensures that the botnet’s infrastructure is replicated across numerous nodes, making it virtually impossible to shut down through conventional means.
Blockchain-Based C2: How Aeternum Operates and Evades Detection
Aeternum C2 is written in native C++ and is available in both 32-bit and 64-bit versions, according to Qrator Labs analysts. The system operates by recording every command issued to infected machines as a transaction on the Polygon blockchain. Infected bots then access these commands through publicly available remote procedure call (RPC) endpoints. The seller’s documentation suggests that active bots can receive updates within a remarkably short two to three-minute window, a speed that surpasses many traditional peer-to-peer botnets.
Marketed on underground forums, Aeternum C2 offers various purchase options, including a lifetime license with a pre-configured build or the complete C++ source code with continuous updates. The operational costs are minimal, with approximately $1 worth of Polygon’s native token, MATIC, sufficient for 100 to 150 command transactions. This low overhead, coupled with the absence of expenses for server rentals or domain registrations, significantly lowers the barrier to entry for threat actors seeking to deploy resilient botnets.
The potential ramifications of botnets utilizing this blockchain-based C2 model extend far beyond individual cyberattacks. Once deployed, these botnets can operate with sustained persistence and scale to facilitate large-scale distributed denial-of-service (DDoS) attacks, credential stuffing, click fraud, proxy-as-a-service abuse, and extensive data theft. Even a complete eradication of infected machines does not dismantle the operator’s smart contracts on the blockchain. Consequently, a full redeployment of the botnet can be executed at any time without the need to reconstruct the underlying infrastructure.
The operator manages these botnets through a web-based control panel. From this interface, attackers can select specific smart contracts, choose command types—such as targeting all bots, pinging by hardware ID, or deploying a DLL loader—and specify a payload URL before publishing the update to the blockchain. Once a command is confirmed on the blockchain, it can only be altered or removed by the owner of the associated wallet. Operators can manage multiple contracts simultaneously, each potentially controlling different malicious functions like credential clippers, data stealers, remote access tools (RATs), or cryptocurrency miners.
Aeternum C2 also incorporates advanced evasion techniques, including anti-virtual machine (VM) detection. This feature prevents its execution within virtualized environments commonly used by antivirus vendors and malware analysts for inspection. The seller also provides a scantime scanner powered by the Kleenscan API, which, at the time of testing, indicated that only 12 out of 37 antivirus engines detected the sample. Prominent security solutions like CrowdStrike, Avast, Avira, and ClamAV returned clean results, underscoring the loader’s current stealth capabilities.
Given that traditional infrastructure seizures are no longer a viable strategy against blockchain-based C2 channels, security teams must adapt their defense mechanisms. The focus must shift towards robust endpoint detection, advanced behavioral monitoring, and stringent application controls to identify and neutralize suspicious executables in their early stages. Network defenders should explore the feasibility of monitoring or restricting outbound connections to recognized Polygon RPC endpoints without negatively impacting legitimate network operations. Proactive traffic filtering at the network edge remains a critical line of defense in mitigating the threat posed by this evolving cybercrime model.