Cybersecurity

Cyber: Aeternum C2 Botnet Stores Encrypted Commands On Polygon Blockchain...

2026-02-26 0 views admin
Cyber: Aeternum C2 Botnet Stores Encrypted Commands On Polygon Blockchain...

Cybersecurity researchers have disclosed details of a new botnet loader called Aeternum C2 that uses a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts.

"Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain," Qrator Labs said in a report shared with The Hacker News.

"This network is widely used by decentralized applications, including Polymarket, the world's largest prediction market. This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods."

This is not the first time botnets have been found relying on blockchain for C2. In 2021, Google said it took steps to disrupt a botnet known as Glupteba that uses the Bitcoin blockchain as a backup C2 mechanism to fetch the actual C2 server address.

Details of Aeternum C2 first emerged in December 2025, when Outpost24's KrakenLabs revealed that a threat actor by the name of LenAI was advertising the malware on underground forums for $200 that grants customers access to a panel and a configured build. For $4,000, customers were allegedly promised the entire C++ codebase along with updates.

A native C++ loader available in both x32 and x64 builds, the malware works by writing commands to be issued to the infected host to smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints.

All of this is managed via the web-based panel, from where customers can select a smart contract, choose a command type, specify a payload URL and update it. The command, which can target all endpoints or a specific one, is written into the blockchain as a transaction, after which it becomes available to every compromised device that's polling the network.

"Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder," Qrator Labs said. "The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner."

According to a two-part research published by Ctrl Alt Intel earlier this month, the C2 panel is implemented as a Next.js web application that allows operators to deploy smart contracts to the Polygon blockchain. The smart contracts contain a function that, when called by the malware via the Polygon RPC, causes it to ret

Source: The Hacker News

🏷️ Tags

cybersecuritysecurityhackmalwarethreat

More from Cybersecurity

Cyber: Trend Micro Warns Of Critical Apex One Code Execution Flaws 2026

Cyber: Trend Micro Warns Of Critical Apex One Code Execution Flaws 2026

2026-02-26 0
Cyber: European Dyi Chain Manomano Data Breach Impacts 38 Million Customers

Cyber: European Dyi Chain Manomano Data Breach Impacts 38 Million Customers

2026-02-26 0
Cyber: Critical Juniper Networks Ptx Flaw Allows Full Router Takeover

Cyber: Critical Juniper Networks Ptx Flaw Allows Full Router Takeover

2026-02-26 0
Cyber: Olympique Marseille Confirms 'attempted' Cyberattack After Data Leak

Cyber: Olympique Marseille Confirms 'attempted' Cyberattack After Data Leak

2026-02-26 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views