Key Findings

• Aeternum C2 is a new botnet that uses the Polygon blockchain to store encrypted command-and-control (C2) instructions.

• This approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods.

• The malware works by writing commands to be issued to infected hosts into smart contracts on the Polygon blockchain.

• The bots then read those commands by querying public remote procedure call (RPC) endpoints, with the commands managed via a web-based panel.

• The operational costs are negligible, costing only around $1 worth of MATIC (the native token of the Polygon network) for 100-150 command transactions.

• Aeternum also packs various anti-analysis features to extend the lifespan of infections, including checks to detect virtualized environments.

Background

For a long time, stopping a network of hijacked computers, known as a botnet, used to be fairly straightforward. Authorities would find the main control server sending out the orders and shut it down or sinkhole the traffic to a safe place. However, cybercriminals have now found a way to bypass this off switch entirely.

The research by Qrator Labs identifies a new botnet called Aeternum C2, which doesn't rely on a central server that can be seized. Instead, the operators publish their instructions to the Polygon blockchain, a widely used public blockchain network.

Botnet Infrastructure

Aeternum is a loader written in C++ that works on almost any Windows computer. Rather than contacting a single website for orders, the infected computers check the Polygon network for smart contracts, which are basically digital sets of instructions that are permanent.

The botnet operator uses a simple web dashboard to send these commands, and every command flows through the blockchain from the start. This means there is no primary infrastructure for authorities to target.

Resilience to Takedown

This blockchain-based approach makes Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods. There are no servers for the police to take and no website names to block.

The operational costs are also negligible, costing only about $1 worth of MATIC (the digital currency used on the Polygon network) to send over 100 commands to thousands of computers.

Anti-Analysis Features

Aeternum also packs various anti-analysis features to extend the lifespan of infections. This includes checks to detect virtualized environments, in addition to equipping customers with the ability to scan their builds via Kleenscan to ensure that they are not flagged by antivirus vendors.

Implications

This new model allows botnets to live longer and grow larger, making them perfect for massive distributed denial-of-service (DDoS) attacks. Even if a computer is cleaned of the virus, the hacker can simply reuse the same blockchain instructions to start over.

This makes it more important than ever to focus on filtering out bad traffic before it even reaches a network, as traditional takedown methods may not be effective against such blockchain-based botnets.

Sources

• https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html

• https://hackread.com/aeternum-c2-botnet-polygon-blockchain/

• https://www.instagram.com/p/DVPFYrbkjbp/

• https://www.reddit.com/r/pwnhub/comments/1rfrnkr/aeternum_c2_botnet_uses_polygon_blockchain_for/