For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain, and watching the network go dark. Law enforcement used this method to dismantle major operations like Emotet, TrickBot, and QakBot. <\/p>\n
A newly discovered botnet loader called Aeternum C2 has been built specifically to close that door, storing all of its instructions not on any server or domain, but directly on the Polygon blockchain.<\/p>\n
Aeternum\u2019s commands live inside smart contracts on the Polygon network, a public blockchain replicated across thousands of nodes worldwide. <\/p>\n
Since there is no single server to seize or domain to suspend, the infrastructure remains available regardless of what any authority or platform chooses to do. <\/p>\n
Defenders who have spent years dismantling botnets through infrastructure seizure now face a model where that strategy simply does not work, and Aeternum appears to be the first commercially available implementation to make blockchain-based C2 a ready-to-use product.<\/p>\n
Qrator Labs analysts identified the loader<\/a> while monitoring cybercrime networks, noting it is written in native C++ and available in both 32-bit and 64-bit builds. <\/p>\n Researchers found that every command issued to infected machines is recorded as a transaction on the Polygon blockchain, with bots reading those commands through public remote procedure call (RPC) endpoints. <\/p>\n According to the seller\u2019s documentation, all active bots receive updates within two to three minutes \u2014 faster and more consistent than traditional peer-to-peer botnets.<\/p>\n The botnet is marketed on underground forums as either a lifetime license with a preconfigured build or as full C++ source code with ongoing updates. <\/p>\n Running costs are negligible: just $1 worth of MATIC, Polygon\u2019s native token, covers 100 to 150 command transactions. <\/p>\n With no servers to rent or domains to register, the operational overhead for maintaining a resilient botnet is close to zero, placing it within reach of far more threat actors.<\/p>\n The potential damage from botnets built on this model stretches well beyond individual campaigns. <\/p>\n Once deployed, they can grow uninterrupted and be used for large-scale DDoS attacks<\/a>, credential stuffing, click fraud, proxy-as-a-service abuse, and data theft. <\/p>\n Even a complete cleanup of infected machines leaves the operator\u2019s smart contracts intact, meaning a full redeployment is possible at any moment without rebuilding infrastructure.<\/p>\n The operator manages everything through a web-based control panel. From this interface, the attacker selects a smart contract, picks a command type \u2014 whether targeting all bots, pinging a specific machine by hardware ID (HWID), or pushing a DLL loader<\/a> \u2014 then provides a payload URL and publishes the update to the blockchain.\u00a0<\/p>\n Once confirmed on-chain, a command cannot be altered or removed by anyone except the wallet owner. The operator can run multiple contracts at once, with each one tied to a different function such as a clipper, a stealer, a remote access tool (RAT), or a miner.\u00a0<\/p>\n Aeternum also includes anti-VM detection<\/a>, blocking execution inside virtualized environments typically used by antivirus vendors and malware analysts. <\/p>\n The seller bundles a scantime scanner powered by the Kleenscan API.\u00a0This\u00a0shows that only 12 of 37 engines flagged the sample, while CrowdStrike, Avast, Avira, and ClamAV all returned clean results at the time of testing.<\/p>\n Traditional domain seizures and server takedowns will not stop a blockchain-based C2 channel. Security teams should focus on endpoint detection, behavioral monitoring, and strict application controls to catch suspicious executables early. <\/p>\n Network defenders<\/a> should evaluate whether outbound connections to known Polygon RPC endpoints can be monitored or restricted without disrupting legitimate operations. <\/p>\n Since infrastructure-level takedowns are no longer reliable against this model, proactive traffic filtering at the network edge remains the most dependable line of defense.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Researchers Uncover Aeternum C2 Infrastructure with Advanced Persistence and Network Evasion Features<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nBlockchain-Based C2: How Aeternum Operates and Evades Detection<\/h2>\n
![\"The](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgF765vejse0FDeIE29KW2maY9ssM0XD-HgnVV6iCuRtLhj61Fn0KDUTPG260M5EA3jAB5gtLNVTYdxe-lINH0a6IJP4D6jeb-jBoM7riyfBKHRYxCMRLSGWfRg5YkQF1-bAgRwYvHWPPfLphyphenhyphenLHPpKvKAVeI4VEY5scW9WIKF0P50ZVM4Ijzz7PHHaLL4\/s16000\/The%2520Aeternum%2520C2%2520Dashboard%2520%28Source%2520-%2520Qrator%2520Labs%29.webp?ssl=1\")
![\"Contract](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj9hsecTQRU_ceHrKvWYauWIqJStzpO2Z6K8mV_-LLkUDFlc75wrthyphenhyphenbnbLtKfU8LziJUj3irbb4W0VF3q46gCCmDnHr1cr6pMGn2OsRExU4wnH8fH94-LvKnBDggUk_1krp3-Adn8LGbSjxff2pi0oP5hwbsjSQaSF_e7tvr7ZInK70mGJLmr7V_HbtOA\/s16000\/Contract%2520Management%2520Panel%2520Showing%252013%2520Active%2520Smart%2520Contracts%2520%28Source%2520-%2520Qrator%2520Labs%29.webp?ssl=1\")
![\"Built-in](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh1dGG31BHbVsHhSIUFzZso5GBkafxjSFaKK96EAZQn_p3o_A-lSWgt0fuWSpKAREaXgnUOG8WtAvhUP8ypG3aqG4MiT_6VQHdgD-HHK8Iz8LozKQ6-qURPesUa5pfX1VvgiUw6dHv2xu_6_kWxYRYpex4Q8UXLUs1pbD1ZuD7v93P_YOxVxeDw2NJ9y0M\/s16000\/Built-in%2520AV%2520Scanner%2520Showing%2520Detection%2520Rates%2520Across%252037%2520Engines%2520%28Source%2520-%2520Qrator%2520Labs%29.webp?ssl=1\")