Aeternum C2 Botnet Uses Polygon Blockchain as Sole Command Infrastructure, Making Traditional Takedowns Impossible
Qrator Research Lab has identified a new botnet called Aeternum C2 that represents a fundamental shift in how botnets maintain command and control: it uses the Polygon blockchain as its sole C2 infrastructure, publishing all operator commands through smart contracts that are replicated across thousands of nodes worldwide.
Unlike previous botnets that used blockchain as a fallback mechanism, Aeternum has no traditional servers, no domains, and no central infrastructure for law enforcement to seize or sinkhole. This makes it effectively immune to the takedown strategies that have successfully disrupted major botnets in the past.
How It Works
Aeternum is a C++ loader targeting Windows systems that replaces conventional C2 communication with blockchain-native operations:
- Operator publishes commands via a web dashboard that writes directly to Polygon smart contracts
- Infected devices poll the blockchain for new instructions by reading those smart contracts
- Commands propagate in 2-3 minutes to all infected devices across the network
- No servers exist to seize — the command layer lives entirely on decentralized, immutable infrastructure
Qrator identified 13 active smart contracts on the Aeternum operator's contract management panel, indicating an established and actively managed operation.
Why Previous Takedown Models Fail
Traditional botnet disruption relies on identifying and seizing C2 servers, sinkholing domains, or disrupting the hosting infrastructure. Even blockchain-augmented botnets like Glupteba were disruptable because they only used blockchain as a backup channel — their primary C2 still relied on conventional infrastructure.
Aeternum eliminates this weakness entirely. With all commands flowing through Polygon's public blockchain, there is no single point of failure, no hosting provider to subpoena, and no domain registrar to compel. The smart contracts are permanent and replicated across the entire network.
Even if every infected device is cleaned, the operator can reuse the same blockchain instructions to rebuild the botnet from scratch.
Operational Capabilities
The botnet supports multiple payload types deployed through its blockchain command channel:
- Clippers — monitor clipboard for cryptocurrency wallet addresses and substitute attacker-controlled addresses to redirect transactions
- Miners — hijack device compute resources for cryptocurrency mining
- DDoS capabilities — leverage the botnet for distributed denial-of-service attacks
Cheap to Operate, Hard to Analyze
The operational cost is remarkably low — approximately $1 worth of MATIC (Polygon's native token) is sufficient to send over 100 commands to thousands of infected devices. This near-zero cost makes sustained, large-scale operations economically trivial.
Aeternum also employs anti-VM detection techniques to identify sandbox and analysis environments. If the malware detects it's running in a virtual machine or research lab, it refuses to execute — complicating reverse engineering efforts.
Defender Recommendations
- Monitor for blockchain RPC traffic — flag outbound connections to Polygon RPC endpoints (
polygon-rpc.com,rpc.ankr.com/polygon) from non-cryptocurrency workloads - Detect smart contract polling patterns — regular interval requests to blockchain APIs from endpoints that shouldn't be interacting with Web3 infrastructure are a strong indicator
- Focus on payload prevention — since the C2 channel cannot be disrupted, detection must shift to identifying and blocking the payloads (clippers, miners, DDoS modules) at the endpoint level
- Network traffic filtering — invest in upstream DDoS mitigation given that blockchain-resilient botnets can sustain larger and longer attack campaigns
- Hunt for anti-VM behaviors — malware that checks for virtualization artifacts before executing may indicate Aeternum or similar evasive loaders
