Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown
Published: (February 26, 2026 at 01:00 PM EST)
4 min read
Source: The Hacker News
Source: The Hacker News
[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQlH8RQUmcg8IWqV76NL0o4uRe86gJ6kxLV3DRYppBAVrfFR_gMPQBFn6GIl2jd9ZgzsuwRGAGTVUbaWCj795-XZ8I3eSBDLz6Q_0w4Alef6GNA3NtpK4po_WVC6p9o4aNVHqgCAEb3a7CqL_x7oBGWQ7N4z0IMyzOX3aZoI_TUZenfdAm0LZojDIkumG0/s1700-e365/botnet.jpg)
**Cybersecurity researchers have disclosed details of a new botnet loader called _Aeternum C2_ that uses a blockchain‑based command‑and‑control (C2) infrastructure to make it resilient to takedown efforts.**
> “Instead of relying on traditional servers or domains for command‑and‑control, Aeternum stores its instructions on the public Polygon blockchain,” Qrator Labs **[said](https://qrator.net/blog/details/Exploring-Aeternum-C2/)** in a report shared with *The Hacker News*.
> “This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.”
---
### Background
- This is not the first botnet to rely on blockchain for C2. In 2021, Google disclosed disruption of the **Glupteba** botnet, which used the Bitcoin blockchain as a backup C2 mechanism.
*(See the original coverage **[here](https://thehackernews.com/2024/02/glupteba-botnet-evades-detection-with.html)**.)*
- Details of Aeternum C2 first emerged in **December 2025** when Outpost24’s **KrakenLabs** **[revealed](https://x.com/KrakenLabs_Team/status/1998330973461622894)** that a threat actor named **LenAI** was advertising the malware on underground forums:
- **$200** for a panel and a pre‑configured build.
- **$4,000** for the full C++ codebase plus updates.
[](https://thehackernews.uk/sse-customer-awards-d)
---
### How Aeternum C2 Works
- **Loader:** Native C++ loader (both x86 and x64).
- **Command Delivery:** Commands are written to smart contracts on the Polygon blockchain.
- **Bot Retrieval:** Infected hosts poll public RPC endpoints to read those commands.
- **Control Panel:** A web‑based Next.js panel lets operators:
1. Select a smart contract.
2. Choose a command type.
3. Specify a payload URL.
4. Push the command as a blockchain transaction.
> “Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder,” Qrator Labs added. “The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner.”
- **Research:** A **two‑part** study by **Ctrl Alt Intel** (Part 1 **[here](https://ctrlaltintel.com/threat%20research/Aeternum-Part-1/)**, Part 2 **[here](https://ctrlaltintel.com/threat%20research/Aeternum-Part-2/)**) describes the panel as a Next.js app that deploys Polygon smart contracts. The contracts expose a function that, when called by the malware via RPC, returns an encrypted command which the bot then decrypts and executes.
[](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQh_BU2qZgAMPAaHWPZvrCPcPyObbJCdv76tTa_B3jlKu1Bj73xL4DEniUgRMYs5EFkAL01Cx2nN1OoEUPWg2rhLfw8RsJcJ5tmCMhM6y4QwFxLIR3J2zdKeqYrIVKDPIiE6E30I16nZlUnsMXmawGneCbyo3IrxfNrbTuppvw0lScE9pTgAwQUWKy5-40/s1700-e365/botnet.jpg)
---
### Anti‑Analysis & Operational Costs
- **Anti‑analysis:**
- Detects virtualized environments.
- Offers a **Kleenscan** integration so customers can verify builds are not flagged by AV vendors.
- **Cost Efficiency:**
- “The operational costs are negligible: **$1 worth of MATIC** (Polygon’s native token) is enough for **100–150 command transactions**,” the Czech vendor explained.
- No need for rented servers, domains, or any traditional infrastructure—only a crypto wallet and a local copy of the panel.
---
### Recent Developments
- **Toolkit Sale:** LenAI attempted to sell the entire toolkit for **$10,000**, citing lack of time for support and involvement in another project. The tweet announcing the sale can be seen **[here](https://x.com/KrakenLabs_Team/status/2024872751266148544)**.
- **Related Crimeware:** LenAI is also behind **ErrTraffic**, a tool that automates *ClickFix* attacks by generating fake glitches on compromised websites to trick users into following malicious instructions. (Coverage **[here](https://thehackernews.com/2026/01/threatsday-bulletin-ghostad-drain-macos.html#fake-glitch-scam-toolkit-exposed)**.)
---
> **The disclosure comes as Infrawatch published details of an**Note: The final sentence in the original source appears to be incomplete; it has been retained verbatim.
Underground Service Deploys Dedicated Laptop Hardware into American Homes
A covert operation is installing laptop hardware in U.S. residences to turn the devices into a residential proxy network called DSLRoot. The network redirects malicious traffic through the compromised machines.
The hardware runs a Delphi‑based program called DSLPylon, which can:
- Enumerate supported modems on the network.
- Remotely control residential networking equipment.
- Manage Android devices via an Android Debug Bridge (ADB) integration.
“Attribution analysis identifies the operator as a Belarusian national with residential presence in Minsk and Moscow,” Infrawatch said. “DSLRoot is estimated to operate roughly 300 active hardware devices across 20+ U.S. states.”
— Infrawatch blog
Operator & Pricing
The individual behind the service has been identified as Andrei Holas (also known as Andre Holas and Andrei Golas). Promotion for the service appears on BlackHatWorld under the alias GlobalSolutions, offering:
| Subscription | Price |
|---|---|
| Monthly (unrestricted) | $190 |
| Six‑month plan | $990 |
| Annual plan | $1,750 |
“DSLRoot’s custom software provides automated remote management of consumer modems (ARRIS/Motorola, Belkin, D‑Link, ASUS) and Android devices via ADB, enabling IP address rotation and connectivity control,” the company noted. “The network operates without authentication, allowing clients to route traffic anonymously through U.S. residential IPs.”
Stay Informed
Follow us for more exclusive content:
- Google News:
- Twitter:
- LinkedIn: