A newly identified botnet, named Void, is leveraging Ethereum smart contracts to build a resilient, hard-to-disrupt command-and-control (C2) infrastructure, marking a continued evolution in blockchain-enabled cybercrime.
Discovered in March 2026 and advertised on a Russian-language cybercrime forum, Void Botnet follows closely behind the earlier Aeternum C2 campaign documented by Qrator Labs, but introduces notable differences in implementation and design.
Unlike Aeternum, which used Polygon and was written in C++, Void Botnet is developed in Rust and relies on Ethereum blockchain smart contracts to deliver commands to infected systems.
The malware is attributed to a developer operating under the alias “TheVoidStl,” with related tools including TheVoidStealer and Void Miner.
Infected machines periodically query public Remote Procedure Call (RPC) endpoints to retrieve commands, typically every three to five minutes.
This decentralized approach removes reliance on traditional infrastructure such as domains or centralized servers, making takedown efforts significantly more challenging.
Since blockchain data is immutable and globally distributed, there is no single point of failure for defenders to target.
According to Qrator Labs, Void Botnet uses a dual-mode command-and-control architecture embedded within a single binary. The primary mode relies on Ethereum smart contracts, where operators write encrypted instructions directly to the blockchain.
The second mode provides a centralized alternative via a web-based control panel. This allows operators to issue commands in near real-time, with task execution occurring in under 30 seconds.
Operators can dynamically switch between decentralized and centralized modes by updating the smart contract, balancing operational speed with resilience.
Void Botnet Leverages Ethereum
The Void Botnet control panel provides comprehensive visibility and control over infected hosts. Each compromised machine is listed with detailed telemetry, including geographic location, operating system, installed antivirus software, and privilege level.
Operators can deploy payloads in multiple formats, including executables, DLLs, MSI packages, and PowerShell scripts.
A key feature is in-memory execution, which enables malware to run directly in process memory without touching disk, effectively bypassing traditional file-based detection mechanisms.
Additional capabilities include:
- Reverse shell and PowerShell-based remote access for interactive control.
- Reverse proxy functionality to route traffic through infected systems.
- Self-update and self-delete options for lifecycle management.
- Task tracking and execution logs to monitor success rates across bots.
In observed demonstrations, tasks such as in-memory payload execution and reverse shell access were successfully deployed across multiple infected systems, highlighting the botnet’s operational maturity.
MITRE ATT&CK Mapping
Void Botnet activity aligns with several MITRE ATT&CK techniques, including:
- T1102: Use of Ethereum blockchain as a web service-based C2 channel.
- T1071.001: Communication over HTTP/HTTPS for RPC queries and panel interaction.
- T1059.001 and T1059.003: PowerShell and CMD-based execution for remote control.
- T1620: Reflective code loading for fileless execution.
- T1053.005: Persistence via scheduled tasks.
- T1140: Runtime decryption of payloads.
- T1090.002: Use of compromised hosts as proxy infrastructure.
- T1082: System reconnaissance during bot registration.
- T1070.004: Artifact removal through self-deletion.
The emergence of Void Botnet just weeks after Aeternum campaign platforms suggests a growing trend toward blockchain-based C2 frameworks.
Despite differences in developers and underlying platforms, both botnets demonstrate a shared goal: creating infrastructure that resists seizure and disruption.
This shift poses a significant challenge for defenders. Without centralized servers or domains to target, traditional mitigation strategies become less effective.
As a result, organizations must prioritize proactive defenses such as bot mitigation, behavioral detection, and network traffic analysis to identify compromised systems early.
Void Botnet’s use of Ethereum highlights how legitimate decentralized technologies are increasingly being repurposed for malicious operations, signaling a new phase in botnet evolution where resilience and persistence are built directly into the infrastructure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
