Qrator Labs has shared details on Aeternum C2, a recently discovered botnet loader that relies on the Polygon blockchain for command-and-control (C&C), thus improving its resilience against takedowns.
The malware was first spotted in December 2025, after a threat actor started advertising it on underground forums as operating fully on smart contracts.
The threat actor claimed that commands were delivered to bots encrypted, via multiple RPC (remote procedure call) networks, and validated before execution, completely removing the need for central infrastructure.
The malware was also advertised with anti-VM checks, AV scanning, and support for executing various types of payloads, and was offered at $200 for a lifetime license with panel and build access, or at $4,000 for the full C++ source and ongoing updates.
Bot management is available through a web-based panel that provides the operator with the option to update the available smart contracts with new commands and payloads, Qrator Labs notes.
The commands reach the bots within a few moments. To retrieve them, the bots query public RPC endpoints to read the available smart contracts.
Aeternum also packs a scantime AV scanner, which allows the operators to verify their builds against 37 antivirus engines via the Kleenscan API, Qrator Labs explains.
The main selling point of the botnet, however, is the use of the Polygon blockchain for C&C communication. As Qrator Labs points out, this makes Aeternum’s infrastructure permanent and increases its resilience against takedowns.
The Polygon blockchain is used by numerous decentralized applications, including the world’s largest prediction market, Polymarket, and its use incurs almost no cost for Aeternum’s operators.
“The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions. The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel,” Qrator Labs notes.
The Glupteba botnet, which was the target of a takedown effort in December 2021 but remained active and resurged due to its use of the Bitcoin blockchain as a backup C&C channel, illustrates the risks associated with botnets’ use of decentralized networks.
“Whether or not Aeternum itself becomes widely adopted, blockchain-based command and control is now a turnkey product on the underground market. The model is sound, and other malware developers will iterate on it,” Qrator Labs notes.
Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques
Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects
Related: Kimwolf Android Botnet Grows Through Residential Proxy Networks
Related: RondoDox Botnet Exploiting React2Shell Vulnerability
