Cybersecurity researchers have disclosed particulars of a brand new botnet loader referred to as Aeternum C2 that makes use of a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts.
“Instead of relying on traditional servers or domains for command-and-control, Aeternum stores its instructions on the public Polygon blockchain,” Qrator Labs stated in a report shared with The Hacker Information.
“This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.”
This isn’t the primary time botnets have been discovered counting on blockchain for C2. In 2021, Google stated it took steps to disrupt a botnet often known as Glupteba that makes use of the Bitcoin blockchain as a backup C2 mechanism to fetch the precise C2 server deal with.
Particulars of Aeternum C2 first emerged in December 2025, when Outpost24’s KrakenLabs revealed {that a} risk actor by the identify of LenAI was promoting the malware on underground boards for $200 that grants prospects entry to a panel and a configured construct. For $4,000, prospects had been allegedly promised your complete C++ codebase together with updates.
A local C++ loader accessible in each x32 and x64 builds, the malware works by writing instructions to be issued to the contaminated host to good contracts on the Polygon blockchain. The bots then learn these instructions by querying public distant process name (RPC) endpoints.
All of that is managed through the web-based panel, from the place prospects can choose a sensible contract, select a command kind, specify a payload URL and replace it. The command, which might goal all endpoints or a selected one, is written into the blockchain as a transaction, after which it turns into accessible to each compromised gadget that is polling the community.
“Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder,” Qrator Labs stated. “The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner.”
In keeping with a two-part analysis printed by Ctrl Alt Intel earlier this month, the C2 panel is carried out as a Subsequent.js internet utility that enables operators to deploy good contracts to the Polygon blockchain. The good contracts comprise a operate that, when referred to as by the malware through the Polygon RPC, causes it to return the encrypted command that is subsequently decoded and run on the sufferer machines.
Apart from utilizing the blockchain to show it right into a takedown-resistant botnet, the malware packs in varied anti-analysis options to increase the lifespan of infections. This consists of checks to detect virtualized environments, along with equipping prospects with the power to scan their builds through Kleenscan to make sure that they aren’t flagged by antivirus distributors.
“The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions,” the Czechian cybersecurity vendor stated. “The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel.”
The risk actor has since tried to promote your complete toolkit for an asking worth of $10,000, claiming a scarcity of time for help and their involvement in one other challenge. “I will sell the entire project to one person with permission for resale and commercial use, with all ‘rights,'” LenAI stated. “I will also give useful tips/notes on development that I did not have time to implement.”
It is price noting that LenAI can be behind a second crimeware resolution referred to as ErrTraffic that permits risk actors to automate ClickFix assaults by producing faux glitches on compromised web sites to induce a false sense of urgency and deceive customers into following malicious directions.
The disclosure comes as Infrawatch printed particulars of an underground service that deploys devoted laptop computer {hardware} into American properties to co-opt the units right into a residential proxy community named DSLRoot that redirects malicious visitors by them.
The {hardware} is designed to run a Delphi-based program referred to as DSLPylon that is outfitted with capabilities to enumerate supported modems on the community, in addition to remotely management the residential networking tools and Android units through an Android Debug Bridge (ADB) integration.
“Attribution analysis identifies the operator as a Belarusian national with residential presence in Minsk and Moscow,” Infrawatch stated. “DSLRoot is estimated to operate roughly 300 active hardware devices across 20+ U.S. states.”
The operator has been recognized as Andrei Holas (aka Andre Holas and Andrei Golas), with the service promoted on BlackHatWorld by a person working underneath the alias GlobalSolutions, claiming to supply bodily residential ADSL proxies on the market for $190 monthly for unrestricted entry. It is usually accessible for $990 for six months and $1,750 for annual subscriptions.
“DSLRoot’s custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS) and Android devices via ADB, enabling IP address rotation and connectivity control,” the corporate famous. “The network operates without authentication, allowing clients to route traffic anonymously through U.S. residential IPs.”
