Aeternum C2: When Botnet Command-and-Control Moves to the Polygon Blockchain
- Javier Conejo del Cerro
- hace 17 horas
- 3 Min. de lectura
A new botnet loader dubbed Aeternum C2 is redefining command-and-control resilience by embedding encrypted instructions directly into smart contracts on the Polygon blockchain. Instead of relying on traditional servers or domains vulnerable to seizure, the malware leverages immutable on-chain transactions to create a takedown-resistant C2 model. Advertised since December 2025 by a threat actor known as LenAI, the toolkit is sold for $200 (panel + configured build), $4,000 (full C++ source code), and reportedly $10,000 for the entire project.
Phase 1: Commercialization in Underground Markets
Aeternum C2 first surfaced publicly in December 2025, when Outpost24’s KrakenLabs identified LenAI promoting the loader on underground forums.
The pricing structure reveals a clear commercialization strategy:
$200 – Access to panel + compiled build
$4,000 – Entire C++ codebase with updates
$10,000 – Full project sale with resale rights
The malware is written in native C++, available in both x32 and x64 builds, and positioned as a turnkey solution for operators seeking resilient infrastructure without managing servers or domains.
LenAI is also linked to another crimeware product, ErrTraffic, which automates ClickFix-style social engineering attacks by generating fake glitch prompts on compromised websites.
Phase 2: Blockchain-Based Command Infrastructure
Instead of hosting C2 instructions on conventional infrastructure, Aeternum writes encrypted commands into smart contracts deployed on the Polygon blockchain.
The operational model works as follows:
Operators use a Next.js-based web panel.
The panel deploys or selects a smart contract on Polygon.
Encrypted command data (payload URL + command type) is written into the blockchain as a transaction.
Infected bots poll public Polygon RPC endpoints.
The malware retrieves, decrypts, and executes the command locally.
Because blockchain transactions are immutable and decentralized, commands cannot be removed or altered once confirmed, except by the wallet holder controlling the contract.
Operational costs are negligible:
Approximately $1 worth of MATIC enables 100–150 command transactions.
No servers, domain registration, or hosting required.
Infrastructure consists only of a crypto wallet and a local panel copy.
This architecture makes traditional takedown efforts largely ineffective.
Phase 3: Payload Delivery and Modular Abuse
Each smart contract can serve different payload types. Supported payload categories include:
Clipper malware
Information stealers
Remote Access Trojans (RATs)
Cryptocurrency miners
Commands can target all infected endpoints or specific bots.
The malware also incorporates anti-analysis mechanisms:
Virtual machine detection
Anti-debugging techniques
AV evasion checks using Kleenscan
These protections aim to extend infection lifespan and reduce detection rates before deployment.
Parallel Threat: DSLRoot Residential Proxy Infrastructure
In parallel research, Infrawatch uncovered a separate but related underground ecosystem: DSLRoot, a residential proxy network operating roughly 300 hardware devices across 20+ U.S. states.
Attribution analysis links DSLRoot to a Belarusian national:
Andrei Holas (aka Andre Holas / Andrei Golas)
Residential presence in Minsk and Moscow
DSLRoot operates through dedicated physical laptop hardware installed in American homes. The devices run a Delphi-based program named DSLPylon, capable of:
Enumerating supported consumer modems (ARRIS/Motorola, Belkin, D-Link, ASUS)
Remotely controlling networking equipment
Managing Android devices via ADB integration
Enabling IP rotation and connectivity control
The service is offered without authentication and priced at:
$190 per month
$990 for six months
$1,750 annually
This infrastructure allows malicious traffic to be routed anonymously through U.S. residential IP space, increasing operational stealth.
Strategic Implications
Aeternum C2 illustrates a broader trend: decentralization of criminal infrastructure.
Key implications include:
Traditional domain or server takedowns become ineffective.
Blockchain immutability provides persistence advantages.
Minimal operational cost lowers the barrier to entry.
Modular payload support enables multi-stage campaigns.
Integration with residential proxy ecosystems increases anonymity.
The use of blockchain for C2 is not unprecedented (e.g., Glupteba’s Bitcoin-based fallback), but Aeternum operationalizes it as a primary infrastructure layer rather than a backup.
Defensive Measures
Organizations should implement layered monitoring focused on behavioral anomalies rather than infrastructure reputation alone:
Monitor outbound traffic to Polygon RPC endpoints
Detect repeated smart contract polling behavior
Flag encrypted command retrieval patterns from blockchain networks
Inspect wallet-based communication logic in suspicious binaries
Identify anti-VM and sandbox-evasion routines
Monitor anomalous payload execution chains (clipper/stealer/RAT/miner behavior)
Detect unusual residential proxy traffic and abnormal IP rotation patterns
Track outbound traffic consistent with ADB-controlled Android endpoints
Given the decentralized infrastructure, detection must focus on endpoint telemetry, behavioral analytics, and network anomaly detection.
Aeternum C2 marks a significant step toward decentralized, infrastructure-light botnet operations. By embedding encrypted commands into Polygon smart contracts, operators eliminate reliance on centralized assets vulnerable to seizure.
Coupled with commercialization, low operational costs, and integration into broader underground ecosystems like DSLRoot, this model demonstrates how blockchain technology can be repurposed to harden criminal infrastructure.
The takeaway is clear: future takedown strategies must shift from domain and hosting disruption toward behavioral detection, wallet tracing, and blockchain intelligence monitoring.
The Hacker News
Comentarios