For years, taking down a botnet meant finding its command-and-control (C2) server, seizing the domain, and watching the network go dark. Law enforcement used this method to dismantle major operations like Emotet, TrickBot, and QakBot.
A newly discovered botnet loader called Aeternum C2 has been built specifically to close that door, storing all of its instructions not on any server or domain, but directly on the Polygon blockchain.
Aeternum’s commands live inside smart contracts on the Polygon network, a public blockchain replicated across thousands of nodes worldwide.
Since there is no single server to seize or domain to suspend, the infrastructure remains available regardless of what any authority or platform chooses to do.
Defenders who have spent years dismantling botnets through infrastructure seizure now face a model where that strategy simply does not work, and Aeternum appears to be the first commercially available implementation to make blockchain-based C2 a ready-to-use product.
Qrator Labs analysts identified the loader while monitoring cybercrime networks, noting it is written in native C++ and available in both 32-bit and 64-bit builds.
Researchers found that every command issued to infected machines is recorded as a transaction on the Polygon blockchain, with bots reading those commands through public remote procedure call (RPC) endpoints.
According to the seller’s documentation, all active bots receive updates within two to three minutes — faster and more consistent than traditional peer-to-peer botnets.
The botnet is marketed on underground forums as either a lifetime license with a preconfigured build or as full C++ source code with ongoing updates.
Running costs are negligible: just $1 worth of MATIC, Polygon’s native token, covers 100 to 150 command transactions.
With no servers to rent or domains to register, the operational overhead for maintaining a resilient botnet is close to zero, placing it within reach of far more threat actors.
The potential damage from botnets built on this model stretches well beyond individual campaigns.
Once deployed, they can grow uninterrupted and be used for large-scale DDoS attacks, credential stuffing, click fraud, proxy-as-a-service abuse, and data theft.
Even a complete cleanup of infected machines leaves the operator’s smart contracts intact, meaning a full redeployment is possible at any moment without rebuilding infrastructure.
Blockchain-Based C2: How Aeternum Operates and Evades Detection
The operator manages everything through a web-based control panel. From this interface, the attacker selects a smart contract, picks a command type — whether targeting all bots, pinging a specific machine by hardware ID (HWID), or pushing a DLL loader — then provides a payload URL and publishes the update to the blockchain.
Once confirmed on-chain, a command cannot be altered or removed by anyone except the wallet owner. The operator can run multiple contracts at once, with each one tied to a different function such as a clipper, a stealer, a remote access tool (RAT), or a miner.
Aeternum also includes anti-VM detection, blocking execution inside virtualized environments typically used by antivirus vendors and malware analysts.
The seller bundles a scantime scanner powered by the Kleenscan API. This shows that only 12 of 37 engines flagged the sample, while CrowdStrike, Avast, Avira, and ClamAV all returned clean results at the time of testing.
Traditional domain seizures and server takedowns will not stop a blockchain-based C2 channel. Security teams should focus on endpoint detection, behavioral monitoring, and strict application controls to catch suspicious executables early.
Network defenders should evaluate whether outbound connections to known Polygon RPC endpoints can be monitored or restricted without disrupting legitimate operations.
Since infrastructure-level takedowns are no longer reliable against this model, proactive traffic filtering at the network edge remains the most dependable line of defense.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Read more on Cyber Security News
