Full Report
Cybersecurity researchers have disclosed details of a new botnet loader called Aeternum C2 that uses a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts. "Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain," Qrator Labs said in a report shared with The
Analysis Summary
# Tool/Technique: Aeternum C2
## Overview
Aeternum C2 is a sophisticated botnet loader designed for maximum resilience against traditional infrastructure takedowns. Its primary innovation is the use of the public Polygon blockchain as its command-and-control (C2) mechanism. Instead of communicating with a standard web server or domain, the malware retrieves encrypted instructions from smart contracts, making the command chain effectively permanent and decentralized.
## Technical Details
- **Type:** Malware (Loader / Botnet)
- **Platform:** Windows (Native C++ builds for x32 and x64 architectures)
- **Capabilities:** Blockchain-based C2, payload delivery, anti-analysis, and evasion.
- **First Seen:** December 2025
## MITRE ATT&CK Mapping
- **[TA0011 - Command and Control]**
- **[T1102.003 - Web Service: One-Way Communication]** (Using blockchain RPC endpoints to fetch commands)
- **[T1568 - Dynamic Resolution]**
- **[TA0002 - Execution]**
- **[T1059 - Command and Scripting Interpreter]**
- **[TA0005 - Defense Evasion]**
- **[T1497 - Virtualization/Sandbox Evasion]**
- **[T1027 - Obfuscated Files or Information]** (Encrypted commands in smart contracts)
## Functionality
### Core Capabilities
- **Blockchain C2:** Uses the Polygon blockchain to store instructions. Bots query public Remote Procedure Call (RPC) endpoints to read smart contract data.
- **Payload Loading:** Used to deploy secondary malware such as clippers, stealers, Remote Access Trojans (RATs), or miners.
- **Command Management:** Operators manage commands via a Next.js web application panel, which writes instructions into the blockchain as transactions.
- **Targeting:** Supports broad broadcasting to all infected hosts or targeting specific endpoints.
### Advanced Features
- **Takedown Resistance:** Because commands are etched into a public, decentralized ledger, they cannot be deleted or blocked by traditional domain/IP blacklisting.
- **Anti-Analysis:** Includes built-in checks for virtualized environments and sandboxes to prevent detection by researchers.
- **Cost Efficiency:** Extremely low operational costs; approximately $1 of MATIC (Polygon’s native token) can fund 100 to 150 command transactions.
- **FUD (Fully Undetected) Maintenance:** Integrates with services like Kleenscan to ensure builds remain undetected by antivirus vendors.
## Indicators of Compromise
- **File Hashes:** *(Specific hashes were not provided in the article; analysts should monitor for new native C++ loader samples associated with Polygon RPC traffic.)*
- **Network Indicators:**
- Traffic to public Polygon RPC endpoints (e.g., `https[:]//polygon-rpc[.]com` or similar decentralized infra).
- Web Panel: Next.js based applications linked to threat actor "LenAI".
- **Behavioral Indicators:**
- Repeated polling of blockchain API providers.
- Deployment of secondary payloads (stealers/miners) shortly after blockchain transaction confirmation.
## Associated Threat Actors
- **LenAI:** The developer and primary seller of the toolkit on underground forums. This actor is also linked to the "ErrTraffic" crimeware solution (associated with ClickFix attacks).
## Detection Methods
- **Behavioral Detection:** Monitor for unusual or high-frequency outbound connections to known blockchain RPC nodes from non-financial applications.
- **Network Traffic Analysis:** Identify encrypted data packets originating from Polygon smart contract calls that are followed by the execution of unknown binaries.
- **Memory Forensics:** Scan for strings related to Polygon RPC URLs or smart contract addresses within running C++ processes.
## Mitigation Strategies
- **Network Filtering:** Block or strictly monitor access to public blockchain RPC endpoints if they are not required for legitimate business operations.
- **Endpoint Protection:** Use EDR solutions to monitor for unauthorized process creation and suspicious memory injections typical of loaders.
- **Software Restriction Policies:** Implement application whitelisting to prevent the execution of untrusted C++ binaries in user directories.
## Related Tools/Techniques
- **Glupteba:** An earlier botnet that used the Bitcoin blockchain as a fallback C2 mechanism.
- **ErrTraffic:** Another tool by the same author (LenAI) used for automating fake update (ClickFix) attacks.
- **Dead Drop Resolvers:** A similar concept where actors use legitimate services (GitHub, Pastebin, etc.) to host C2 information, though blockchain is more permanent.