Aeternum Botnet Uses Polygon Contracts for C2
Security researchers have identified a botnet named Aeternum that is reportedly using smart contracts on the Polygon blockchain as its command-and-control (C2) infrastructure. The technique is considered an innovative, albeit malicious, use of blockchain technology to create a more resilient and decentralized C2 mechanism for malware operations.
The Aeternum botnet, first advertised on underground forums in December 2025, is being sold as a native C++ loader for both x32 and x64 systems. A lifetime license, including access to a web-based management panel and builds, was offered for just $200, with the full C++ source code available for $4,000. This commercialization makes blockchain-based C2 a turnkey product on the criminal market. Operators manage the botnet via a web dashboard that allows them to select a smart contract and specify a payload URL, which could include anything from cryptocurrency miners and remote access tools to information-stealing DLLs. Once the command is submitted as a transaction to the Polygon blockchain, infected bots retrieve their encrypted instructions by querying public RPC endpoints. New commands reportedly reach all active bots within a few minutes. The primary advantage of this architecture is its extreme resilience against traditional takedown efforts, which typically target centralized servers or domains. Because the commands are stored immutably on a distributed ledger, there is no single point of failure for security firms or law enforcement to attack. This method is also incredibly cost-effective for attackers. Researchers at Qrator Labs, the firm that analyzed Aeternum, noted that the operational costs are negligible. Just $1 worth of MATIC, Polygon's native token, is sufficient to fund 100 to 150 command transactions, eliminating the need to rent servers or register domains. While novel, Aeternum isn't the first malware to leverage a blockchain. In 2021, Google disrupted the Glupteba botnet, which used the Bitcoin blockchain as a backup C2 channel to recover after its primary infrastructure was taken down. Aeternum, however, appears to use the blockchain as its primary communication layer, representing a significant evolution of the technique. To hinder analysis, the malware includes checks to detect if it's running in a virtual machine. The botnet's seller also provides a scantime AV scanner, allowing operators to check their builds against 37 antivirus engines via the Kleenscan API to ensure their payloads are not easily flagged.
