Botnets have always had an Achilles’ heel. Find the command-and-control server, seize the domain, or sinkhole the traffic, and the entire network goes dark. Law enforcement agencies and security vendors have relied on this weakness for years, dismantling operations like Emotet, TrickBot, and QakBot by targeting their centralized infrastructure.
While monitoring cybercrime networks, Qrator Research Lab identified a new botnet loader called Aeternum C2 that appears to remove that weakness entirely. Instead of relying on traditional servers or domains for command and control, Aeternum stores its instructions on the public Polygon blockchain. This network is widely used by decentralized applications, including Polymarket, the world’s largest prediction market. This approach makes Aeternum’s C2 infrastructure effectively permanent and resistant to traditional takedown methods.
Based on the seller’s documentation and panel screenshots, Aeternum is a native C++ botnet loader available in both x32 and x64 builds. Its core innovation is straightforward but unique: every command issued to infected machines is written to smart contracts on the Polygon blockchain, and bots read those commands by querying public RPC (remote procedure call) endpoints.
The operator manages everything through a web-based panel. From the dashboard, they can select a smart contract, choose a command type (targeting all bots, pinging a specific bot by hardware ID, or issuing a DLL loader command), specify a payload URL, and hit update. The command is then written to the blockchain as a transaction, confirmed on-chain, and becomes available to every infected device polling the network. The seller claims all online bots receive new commands within two to three minutes, which would compare favourably to peer-to-peer botnets where command propagation can be slow and unreliable.
Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder. The operator can manage multiple smart contracts simultaneously, each one potentially serving a different payload or function, such as a clipper, a stealer, a RAT, or a miner. The panel screenshots show 13 contracts with names like “Clipper,” “Get Sys Info DLL,” “ps1,” “.bat,” and “putty.exe,” each mapped to a different Polygon contract address.
The ping command sends a simple GET request to a URL specified by the operator, with HTTP headers containing bot information, including a user-agent string and the bot’s hardware ID. The operator can use this to track active infections by pointing the ping at an IP logger or target commands to a specific bot by filtering on its HWID.
Traditional botnets use a predictable set of infrastructure: hardcoded IP addresses, domain names resolved through DNS, or peer-to-peer networks that still rely on known bootstrap nodes.
Each of these gives defenders a target. Domain registrars can suspend malicious domains. Hosting providers can null-route IPs. Law enforcement can seize physical servers. Even P2P botnets have been disrupted by poisoning their routing tables or sinkholing known peers.
Aeternum sidesteps all of this. Its commands live on a public blockchain, stored across thousands of nodes worldwide, and accessible through any of the 50+ RPC endpoints the bot is configured to query. There is no single server to seize, no domain to suspend, and no hosting provider to subpoena. The data is replicated across the entire Polygon network by design. Traditional takedown strategies simply do not apply.
In December 2021, Google disrupted Glupteba, a botnet that had infected over one million Windows devices. Google took down C2 servers, seized domains, terminated associated accounts, and filed a lawsuit against two operators. The effort initially reduced infections by 78%.
But Glupteba used the Bitcoin blockchain as a backup C2 channel, storing encrypted fallback domains in transaction data that no one could erase or censor. Within six months, the botnet was back, running a new campaign with more wallet addresses and ten times more Tor hidden services than before.
The difference is that Glupteba used blockchain as a fallback, not as its primary C2 channel. Its main communication still ran through conventional HTTPS servers, which gave Google something to seize.
Aeternum removes that gap entirely. There are no traditional servers in the loop. Every command flows through the blockchain from the start, which means there is no primary infrastructure to target and no fallback to force the operator onto.
Aeternum is sold as either a lifetime licence with the panel and a configured build, or as full C++ source code with ongoing updates. The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions. The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel.
This cost structure lowers the barrier to operating a persistent, takedown-resistant botnet to essentially nothing. Previous blockchain-based C2 concepts have existed in academic research and proof-of-concept form, but Aeternum appears to be the first commercially available implementation actively sold and maintained on an underground network.
Beyond the blockchain C2 mechanism, Aeternum includes several features designed to frustrate analysis and extend the lifespan of infections.
The loader includes anti-VM detection that prevents execution in virtualised environments commonly used by antivirus vendors and malware analysts. The seller specifically notes that after a sample is uploaded to VirusTotal, analysts won’t see “AV bots” in the results because the malware refuses to execute in their sandboxes.
The seller bundles a scantime AV scanner powered by the Kleenscan API, allowing operators to check their builds against 37 antivirus engines before deployment. The results shown in the seller’s screenshots indicate only 12 out of 37 engines flagging the sample, with major vendors including CrowdStrike, Avast, Avira, and ClamAV all returning “undetected.” These results represent a point-in-time snapshot and detection rates will change as vendors update their signatures.
Whether or not Aeternum itself becomes widely adopted, blockchain-based command and control is now a turnkey product on the underground market. The model is sound, and other malware developers will iterate on it. Botnets built on this model will persist longer, accumulating more infected devices and enabling large-scale DDoS attacks, credential stuffing, click fraud, proxy-as-a-service, and other types of malicious activity.
Traditional upstream takedowns become harder when the C2 channel is immutable, and even if the botnet malware is removed from every infected machine, the operator can redeploy using the same smart contracts without rebuilding anything. This makes proactive DDoS mitigation more important than ever: if such botnets can't be taken down at the source, defenders must focus on filtering malicious traffic at the edge.
FAQ: Aeternum C2 and blockchain-based botnets
What is Aeternum C2?
Aeternum C2 is a botnet loader that stores command-and-control instructions for infected devices in smart contracts on the Polygon blockchain.
How does blockchain-based C2 work?
Commands are written as on-chain transactions, and infected devices read those instructions by querying public RPC endpoints.
Why is blockchain-based C2 hard to take down?
Because data stored on public blockchains is immutable and replicated across thousands of nodes worldwide.
Can blockchain-based botnets be stopped?
Traditional domain seizures and server takedowns are ineffective with this model, so defenders must shift focus toward endpoint detection and traffic filtering.
Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.
Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.
Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.
Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.
