Aeternum C2 Botnet Stores Hidden Commands on Polygon Blockchain to Avoid Takedown

Cybersecurity researchers have revealed details of a new botnet loader called Aeternum C2 which uses a blockchain-based command-and-control (C2) infrastructure to make it resistant to takedown attempts.

“Instead of relying on traditional servers or command and control domains, Aeternum stores its instructions on Polygon’s public blockchain,” Qrator Labs said in a report shared with Hacker News.

“This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes the Aeternum C2 infrastructure permanent and resistant to traditional methods of downsizing.”

This is not the first time botnets have been found to rely on the C2 blockchain. In 2021, Google said it took steps to disrupt a botnet known as Glupteba that uses the Bitcoin blockchain as a backup to C2 to retrieve the real address of a C2 server.

Details of the Aeternum C2 first surfaced in December 2025, when Outpost24’s KrakenLabs revealed that a threat actor named LenAI was advertising malware on underground forums for $200 that gave customers access to the panel and programmed builds. For $4,000, customers are said to be promised the entire C++ codebase and updates.

A native C++ loader available on both x32 and x64 architectures, the malware works by writing commands to be issued by the infected host to smart contracts on the Polygon blockchain. Bots then read those commands by querying remote public procedure (RPC) endpoints.

All of this is managed through a web-based panel, where customers can choose a smart contract, choose the type of command, specify the URL of the payload and update it. The command, which can direct all endpoints or specific ones, is written on the blockchain as a function, after which it is available to all compromised devices that vote on the network.

“Once an order is confirmed, it cannot be changed or deleted by anyone other than the fund manager,” said Qrator Labs. “A user can manage multiple smart contracts at the same time, each of which may provide a different payment or activity, such as a patch, steal, RAT, or mine.”

According to a two-part study published by Ctrl Alt Intel earlier this month, the C2 panel is used as a Next.js web application that allows operators to issue smart contracts on the Polygon blockchain. Smart contracts contain a function that, when called by the malware via Polygon RPC, causes it to return an encrypted command that is then erased and executed on the victim’s machine.

Besides using the blockchain to turn it into a botnet that can withstand takedowns, the malware packs in various anti-analytical features to extend the lifespan of infections. This includes testing for virtualized environments, in addition to equipping customers with the ability to scan their premises with Kleenscan to ensure they are not flagged by anti-virus vendors.

“Operational costs are negligible: $1 of MATIC, the traditional token of the Polygon network, is enough for 100 to 150 command transactions,” said the Czech cybersecurity vendor. “The operator does not need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel.”

The threatening actor has tried to sell the entire toolkit at a price asking $ 10,000, saying the lack of time for support and their involvement in another project. “I will sell the entire project to one person who has permission to resell and use it commercially, with all ‘rights’,” said LenAI. “I’ll also give some helpful tips/notes about improvements I don’t have time to use.”

It is worth noting that LenAI is also behind a second crimeware solution called ErrTraffic that allows threat actors to automate ClickFix attacks by generating fake errors on compromised websites to create a false sense of urgency and trick users into following malicious commands.

The disclosure comes as Infrawatch published details of an underground service that installs laptop hardware in American homes to join devices in a residential network called DSLRoot that redirects malicious traffic.

The hardware is designed to run a Delphi-based program called DSLPylon that is equipped with the capabilities of enumerating supported modems in the network, and remote control of residential network equipment and Android devices through the integration of Android Debug Bridge (ADB).

“Attribution analysis identifies the operator as a Belarusian national with residence in Minsk and Moscow,” Infrawatch said. “DSLRoot is estimated to be used by approximately 300 active PCs across 20+ US states.”

The user has been identified as Andrei Holas (aka Andrei Golas), for a service promoted on BlackHatWorld by a user operating under the name GlobalSolutions, which claims to offer residential ADSL proxies for $190 per month for unlimited access. It is also available for $990 for six months and $1,750 for an annual subscription.

“DSLRoot custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS) and Android devices with ADB, enabling IP address rotation and connection control,” the company notes. “The network operates without authentication, allowing clients to route traffic anonymously through US residential IPs.”