Cybersecurity researchers have disclosed particulars of a brand new botnet loader referred to as Aeternum C2 that makes use of a blockchain-based command-and-control (C2) infrastructure to make it resilient to takedown efforts.
“As a substitute of counting on conventional servers or domains for command-and-control, Aeternum shops its directions on the general public Polygon blockchain,” Qrator Labs stated in a report shared with The Hacker Information.
“This community is extensively utilized by decentralized functions, together with Polymarket, the world’s largest prediction market. This strategy makes Aeternum’s C2 infrastructure successfully everlasting and immune to conventional takedown strategies.”
This isn’t the primary time botnets have been discovered counting on blockchain for C2. In 2021, Google stated it took steps to disrupt a botnet often known as Glupteba that makes use of the Bitcoin blockchain as a backup C2 mechanism to fetch the precise C2 server deal with.
Particulars of Aeternum C2 first emerged in December 2025, when Outpost24’s KrakenLabs revealed {that a} menace actor by the identify of LenAI was promoting the malware on underground boards for $200 that grants prospects entry to a panel and a configured construct. For $4,000, prospects have been allegedly promised your complete C++ codebase together with updates.
A local C++ loader out there in each x32 and x64 builds, the malware works by writing instructions to be issued to the contaminated host to good contracts on the Polygon blockchain. The bots then learn these instructions by querying public distant process name (RPC) endpoints.
All of that is managed by way of the web-based panel, from the place prospects can choose a wise contract, select a command sort, specify a payload URL and replace it. The command, which may goal all endpoints or a particular one, is written into the blockchain as a transaction, after which it turns into out there to each compromised gadget that is polling the community.
“As soon as a command is confirmed, it can’t be altered or eliminated by anybody aside from the pockets holder,” Qrator Labs stated. “The operator can handle a number of good contracts concurrently, each doubtlessly serving a unique payload or perform, corresponding to a clipper, a stealer, a RAT, or a miner.”
In keeping with a two-part analysis revealed by Ctrl Alt Intel earlier this month, the C2 panel is carried out as a Subsequent.js internet utility that permits operators to deploy good contracts to the Polygon blockchain. The good contracts include a perform that, when referred to as by the malware by way of the Polygon RPC, causes it to return the encrypted command that is subsequently decoded and run on the sufferer machines.
In addition to utilizing the blockchain to show it right into a takedown-resistant botnet, the malware packs in varied anti-analysis options to increase the lifespan of infections. This consists of checks to detect virtualized environments, along with equipping prospects with the power to scan their builds by way of Kleenscan to make sure that they don’t seem to be flagged by antivirus distributors.
“The operational prices are negligible: $1 price of MATIC, the native token of the Polygon community, is sufficient for 100 to 150 command transactions,” the Czechian cybersecurity vendor stated. “The operator would not must lease servers, register domains, or preserve any infrastructure past a crypto pockets and a neighborhood copy of the panel.”
The menace actor has since tried to promote your complete toolkit for an asking value of $10,000, claiming a scarcity of time for help and their involvement in one other undertaking. “I’ll promote your complete undertaking to at least one particular person with permission for resale and industrial use, with all ‘rights,'” LenAI stated. “I may also give helpful suggestions/notes on growth that I didn’t have time to implement.”
It is price noting that LenAI can also be behind a second crimeware resolution referred to as ErrTraffic that allows menace actors to automate ClickFix assaults by producing pretend glitches on compromised web sites to induce a false sense of urgency and deceive customers into following malicious directions.
The disclosure comes as Infrawatch revealed particulars of an underground service that deploys devoted laptop computer {hardware} into American houses to co-opt the units right into a residential proxy community named DSLRoot that redirects malicious site visitors by way of them.
The {hardware} is designed to run a Delphi-based program referred to as DSLPylon that is geared up with capabilities to enumerate supported modems on the community, in addition to remotely management the residential networking tools and Android units by way of an Android Debug Bridge (ADB) integration.
“Attribution evaluation identifies the operator as a Belarusian nationwide with residential presence in Minsk and Moscow,” Infrawatch stated. “DSLRoot is estimated to function roughly 300 lively {hardware} units throughout 20+ U.S. states.”
The operator has been recognized as Andrei Holas (aka Andre Holas and Andrei Golas), with the service promoted on BlackHatWorld by a consumer working below the alias GlobalSolutions, claiming to supply bodily residential ADSL proxies on the market for $190 per 30 days for unrestricted entry. Additionally it is out there for $990 for six months and $1,750 for annual subscriptions.
“DSLRoot’s customized software program offers automated distant administration of shopper modems (ARRIS/Motorola, Belkin, D-Hyperlink, ASUS) and Android units by way of ADB, enabling IP deal with rotation and connectivity management,” the corporate famous. “The community operates with out authentication, permitting shoppers to route site visitors anonymously by way of U.S. residential IPs.”
