Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown
Summary:
Aeternum C2 represents a significant evolution in botnet architecture, specifically in its use of the Polygon blockchain for command-and-control (C2) operations. Unlike traditional malware that relies on central servers or domain names, which can be seized or sinkholed, Aeternum stores its instructions within smart contracts on a public, decentralized ledger. This "on-chain" approach ensures that commands are immutable and globally accessible to infected endpoints, making the infrastructure virtually permanent and resistant to standard law enforcement takedowns. The malware is sold as a native C++ loader (supporting x32 and x64 builds) and is equipped with anti-analysis features, such as virtualization checks and cryptographically signed payloads, to maintain persistence and evade detection.
Security Officer Comments:
The emergence of Aeternum C2 is particularly concerning because it breaks the traditional "cat-and-mouse" cycle of infrastructure takedowns. In a standard scenario, once we identify a malicious domain or IP, we can work with service providers to neutralize it. With Aeternum, there is no "off switch" for the C2 channel; as long as the Polygon network exists, the botnet can continue to function. For our IT sector members, this means that even if a breach is remediated, the threat actor can re-engage infected hosts at any time without needing to register new infrastructure. Furthermore, the low operational cost, estimated at $1 for over 100 commands, lowers the barrier to entry for financially motivated actors who may use this loader to drop clippers, info-stealers, or ransomware across critical infrastructure. This shifts the defensive burden from reactive infrastructure blocking to proactive, host-based detection and anomaly-based network monitoring.
Suggested Corrections:
To defend against Aeternum C2 and similar blockchain-based threats, organizations should focus on the communication behavior of the malware rather than static indicators like IP addresses. It is recommended to implement egress filtering to monitor and restrict traffic to common blockchain Remote Procedure Call (RPC) endpoints, which the malware uses to query the Polygon network. Security teams should also deploy behavior-based Endpoint Detection and Response (EDR) solutions to identify the initial loader's anti-analysis routines and the subsequent execution of unauthorized PowerShell or batch scripts. Since the malware often gains a foothold via phishing or exploited software, maintaining a rigorous patch management cycle and enforcing phishing-resistant Multi-Factor Authentication (MFA) remains critical. Finally, given the immutable nature of the C2 channel, incident responders should prioritize full forensic wipes of infected machines to ensure no latent persistent mechanisms remain that could be re-activated by future blockchain transactions.
Link(s):
https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html
Aeternum C2 represents a significant evolution in botnet architecture, specifically in its use of the Polygon blockchain for command-and-control (C2) operations. Unlike traditional malware that relies on central servers or domain names, which can be seized or sinkholed, Aeternum stores its instructions within smart contracts on a public, decentralized ledger. This "on-chain" approach ensures that commands are immutable and globally accessible to infected endpoints, making the infrastructure virtually permanent and resistant to standard law enforcement takedowns. The malware is sold as a native C++ loader (supporting x32 and x64 builds) and is equipped with anti-analysis features, such as virtualization checks and cryptographically signed payloads, to maintain persistence and evade detection.
Security Officer Comments:
The emergence of Aeternum C2 is particularly concerning because it breaks the traditional "cat-and-mouse" cycle of infrastructure takedowns. In a standard scenario, once we identify a malicious domain or IP, we can work with service providers to neutralize it. With Aeternum, there is no "off switch" for the C2 channel; as long as the Polygon network exists, the botnet can continue to function. For our IT sector members, this means that even if a breach is remediated, the threat actor can re-engage infected hosts at any time without needing to register new infrastructure. Furthermore, the low operational cost, estimated at $1 for over 100 commands, lowers the barrier to entry for financially motivated actors who may use this loader to drop clippers, info-stealers, or ransomware across critical infrastructure. This shifts the defensive burden from reactive infrastructure blocking to proactive, host-based detection and anomaly-based network monitoring.
Suggested Corrections:
To defend against Aeternum C2 and similar blockchain-based threats, organizations should focus on the communication behavior of the malware rather than static indicators like IP addresses. It is recommended to implement egress filtering to monitor and restrict traffic to common blockchain Remote Procedure Call (RPC) endpoints, which the malware uses to query the Polygon network. Security teams should also deploy behavior-based Endpoint Detection and Response (EDR) solutions to identify the initial loader's anti-analysis routines and the subsequent execution of unauthorized PowerShell or batch scripts. Since the malware often gains a foothold via phishing or exploited software, maintaining a rigorous patch management cycle and enforcing phishing-resistant Multi-Factor Authentication (MFA) remains critical. Finally, given the immutable nature of the C2 channel, incident responders should prioritize full forensic wipes of infected machines to ensure no latent persistent mechanisms remain that could be re-activated by future blockchain transactions.
Link(s):
https://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html