ALL POSTS

Key Findings: Aeternum is a C++ botnet loader that uses the Polygon blockchain as its command-and-control (C2) infrastructure. The botnet stores its instructions in smart contracts on the Polygon blockchain, making its C2 effectively permanent and resistant to traditional takedown methods. Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them, allowing the botnet operators to manage multiple contracts and payloads simultaneously. Blockc

Key Findings Aeternum C2 is a new botnet that uses the Polygon blockchain to store encrypted command-and-control (C2) instructions. This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods. The malware works by writing commands to be issued to infected hosts into smart contracts on the Polygon blockchain. The bots then read those commands by querying public remote procedure call (RPC) endpoints, with the commands man

Key Findings A new ransomware family called DeadLock was discovered in July 2025, distinguished by its innovative abuse of Polygon smart contracts to manage its command-and-control (C2) infrastructure. DeadLock embeds the proxy URL directly into the blockchain via a `setProxy` function, creating an immutable and resilient communication channel that is difficult for law enforcement to take down. This "EtherHiding" technique echoes methods previously observed with North Korean

Key Findings Elastic Security Labs has uncovered a sophisticated new Windows backdoor called NANOREMOTE that leverages the Google Drive API for covert command-and-control (C2) and data exfiltration operations. NANOREMOTE employs legitimate cloud services to blend its malicious traffic with normal network activity, making it extremely difficult for traditional security tools to detect. The malware uses OAuth 2.0 tokens to authenticate with Google's servers and create a covert

Key Findings Trend Micro's AI-driven threat hunting pipeline discovered a previously unknown and undetectable Linux backdoor called "GhostPenguin" GhostPenguin had zero detections on VirusTotal for over four months before being identified The sophisticated, multi-threaded backdoor is written in C++ and uses RC5-encrypted UDP for covert Command and Control (C2) communications Background GhostPenguin was first submitted to VirusTotal on July 7, 2025, but remained completely inv