Pierluigi Paganini
February 27, 2026
Qrator Labs researchers uncovered Aeternum, a botnet that runs its command-and-control infrastructure through smart contracts on the Polygon blockchain. By decentralizing its C2, the malware avoids traditional server-based takedowns and becomes far harder to disrupt or shut down, significantly increasing its resilience and persistence in the wild.
“Instead of relying on traditional servers or domains for command and control, Aeternum stores its instructions on the public Polygon blockchain. This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market.” reads the report published by Qrator Labs. “This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.”
Aeternum is a C++ botnet loader offered in both 32- and 64-bit versions that uses the Polygon blockchain as its command-and-control backbone. Operators write commands into smart contracts on Polygon. Infected machines poll public RPC endpoints, read the on-chain instructions, and execute them.
Using a web dashboard, operators pick a smart contract, choose what action to send, add a payload URL, and then send the command as a blockchain transaction. Once confirmed, the instruction becomes immutable and accessible to all infected hosts, typically within minutes.
Operators can manage multiple contracts at once, each tied to different payloads like stealers, clippers, RATs, or miners. A ping feature also allows tracking of active infections and precise targeting using hardware IDs and HTTP fingerprinting.
Blockchain-based C2 changes the botnet takedown playbook. Traditional botnets rely on domains, IPs, or servers that defenders can seize, suspend, or sinkhole. Aeternum avoids those weak points by storing commands on the Polygon blockchain, replicated across thousands of nodes and reachable via many RPC endpoints. There is no central server to shut down. Past cases like Glupteba showed blockchain as a backup channel; Aeternum makes it the primary one, removing traditional disruption options.
Aeternum is sold either as a lifetime package with a ready-to-use panel or as full C++ source code with updates. Operating costs remain minimal: about $1 in MATIC can fund over 100 blockchain command transactions, with no need for servers or domains, just a crypto wallet and the control panel.
The malware also includes anti-VM checks to evade sandbox analysis and a built-in AV scanner to test detection rates before deployment, lowering barriers for running a resilient, stealthy botnet.
“The seller bundles a scantime AV scanner powered by the Kleenscan API, allowing operators to check their builds against 37 antivirus engines before deployment.” continues the report. “The results shown in the seller’s screenshots indicate only 12 out of 37 engines flagging the sample, with major vendors including CrowdStrike, Avast, Avira, and ClamAV all returning “undetected.” These results represent a point-in-time snapshot and detection rates will change as vendors update their signatures.”
Even if Aeternum itself doesn’t gain mass adoption, blockchain-based C2 is now a ready-made underground product. The model is effective and likely to be reused and refined by other malware developers. Botnets built this way could last longer, grow larger, and power large-scale attacks such as DDoS, credential stuffing, click fraud, and proxy services.
“Traditional upstream takedowns become harder when the C2 channel is immutable, and even if the botnet malware is removed from every infected machine, the operator can redeploy using the same smart contracts without rebuilding anything.” concludes the report. “This makes proactive DDoS mitigation more important than ever: if such botnets can’t be taken down at the source, defenders must focus on filtering malicious traffic at the edge.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, botnet)
