Key Findings:

• Aeternum is a C++ botnet loader that uses the Polygon blockchain as its command-and-control (C2) infrastructure.

• The botnet stores its instructions in smart contracts on the Polygon blockchain, making its C2 effectively permanent and resistant to traditional takedown methods.

• Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them, allowing the botnet operators to manage multiple contracts and payloads simultaneously.

• Blockchain-based C2 changes the botnet takedown playbook, as there is no central server to shut down, and the commands are immutable and accessible to all infected hosts.

• Aeternum includes features like anti-VM checks, an AV scanner, and a low-cost operating model, making it an attractive and resilient option for malware operators.

Background

Aeternum is a C++ botnet loader that has been observed using the Polygon blockchain as its command-and-control (C2) infrastructure. This approach allows the botnet to avoid traditional server-based takedowns and become significantly more resilient and persistent in the wild.

Decentralized Command and Control

Instead of relying on traditional servers or domains for command and control, Aeternum stores its instructions on the public Polygon blockchain. This network is widely used by decentralized applications, making Aeternum's C2 infrastructure effectively permanent and resistant to traditional takedown methods.

Operational Mechanics

Aeternum's operators write commands into smart contracts on the Polygon blockchain. Infected machines then poll public RPC endpoints, read the on-chain instructions, and execute them. This allows the operators to manage multiple contracts at once, each tied to different payloads like stealers, clippers, RATs, or miners.

Disruption Challenges

Blockchain-based C2 changes the botnet takedown playbook. Traditional botnets rely on domains, IPs, or servers that defenders can seize, suspend, or sinkhole. Aeternum avoids these weak points by storing commands on the Polygon blockchain, making it significantly harder to disrupt or shut down.

Features and Capabilities

Aeternum includes various features that enhance its resilience and stealthiness, such as anti-VM checks, an integrated AV scanner to test detection rates, and a low-cost operating model that relies on blockchain transactions rather than traditional server infrastructure.

Potential Impact and Implications

Even if Aeternum itself doesn't gain mass adoption, the blockchain-based C2 model it showcases is now a ready-made underground product. This approach is likely to be reused and refined by other malware developers, potentially leading to botnets that are harder to take down and can power large-scale attacks.

Sources

• https://securityaffairs.com/188627/mobile-2/aeternum-botnet-hides-commands-in-polygon-smart-contracts.html

• https://x.com/shah_sheikh/status/2027482246588850589

• https://www.facebook.com/thehackernews/photos/-new-botnet-loader-aeternum-uses-polygon-smart-contracts-as-its-c2-channelcomman/1305340204963893/

• https://dev.to/deepseax/aeternum-c2-the-botnet-that-lives-on-the-polygon-blockchain-c3g