For years, defenders have relied on a simple strategy to dismantle botnets find and seize their command-and-control (C2) servers.
That weakness enabled global law enforcement operations to disrupt massive botnets such as Emotet, TrickBot, and QakBot. But a newly identified C2 framework, Aeternum, may render those tactics obsolete.
Instead of using centralized servers or domains, Aeternum writes every command such as payload delivery or configuration updates to smart contracts. Infected machines then query public RPC (remote procedure call) endpoints to fetch instructions.
This design makes Aeternum’s control infrastructure effectively permanent. Transactions stored on the blockchain cannot be censored, modified, or seized, and are replicated across thousands of nodes worldwide.
Researchers at Qrator Research Lab discovered Aeternum a C++ botnet loader that operates entirely through the Polygon blockchain.
Traditional takedown methods like null-routing IPs or suspending malicious domains don’t apply.
Inside the Aeternum Panel
Screenshots from underground forums show a polished web dashboard where operators can select active smart contracts, issue new commands, and track infected devices. Command propagation appears highly efficient: all online bots receive updates within minutes.
The seller claims all online bots receive new commands within two to three minutes, which would compare favourably to peer-to-peer botnets where command propagation can be slow and unreliable.
Each command transaction, once written to the blockchain, becomes immutable. Operators can manage multiple contracts simultaneously, each linked to distinct payloads such as information stealers, cryptocurrency miners, or RATs.
Individual bots can even be targeted by hardware ID (HWID), allowing precise campaign control.
The emergence of blockchain-based C2 follows earlier experiments, such as Glupteba, which used Bitcoin transactions to store backup domain data.
While Glupteba primarily relied on traditional HTTPS servers (which Google disrupted in 2021), Aeternum eliminates that dependency entirely. It has no centralized fallback, meaning there’s no conventional infrastructure for defenders to seize.
Because commands reside permanently on a decentralized ledger, any infected device can retrieve them via more than 50 Polygon RPC gateways.
Hosting providers can null-route IPs. Law enforcement can seize physical servers. Even P2P botnets have been disrupted by poisoning their routing tables or sinkholing known peers.
Even if security teams remove the malware from every endpoint, the underlying control logic persists on-chain and remains reusable for future attacks.
Implications
The Aeternum kit is sold on darknet marketplaces as either a lifetime license or full source code. Its operating cost is minimal around $1 in MATIC tokens covers over 100 command updates. That negligible expense sharply lowers the barrier for cybercriminals seeking long-lasting control networks.
To evade detection, Aeternum integrates anti-virtual machine checks, preventing execution in sandboxed environments.
It also includes a scantime antivirus scanner using the Kleenscan API, letting attackers verify undetectability across dozens of security engines before deployment.
Security experts warn that as similar frameworks emerge, defenders will need to adapt focusing less on takedowns at the source and more on proactive DDoS mitigation and traffic filtering at the network edge. In the age of immutable infrastructure, the battlefield is shifting from servers to the blockchain itself.
Aeternum represents a significant escalation in the arms race between cybercriminals and defenders. Blockchain-based C2s could usher in a new class of persistent, infrastructure-less botnets, harder to sinkhole or disrupt.
Indicators of Compromise
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
