+420-602-558-144 I'm under attack Log in Sign Up

Void Botnet uses Ethereum smart contracts for seizure-resistant C2

18 May 2026

Void Botnet uses Ethereum smart contracts for seizure-resistant C2

In February 2026, Qrator Labs documented Aeternum C2: a botnet loader that stores its command-and-control instructions in Polygon blockchain smart contracts. It was the first commercial blockchain botnet we identified on any cybercrime network. One month later, and we have found a second one called Void Botnet.

Void Botnet uses Ethereum instead of Polygon, is written in Rust rather than C++, and is sold by a different malware developer operating under the handle TheVoidStl. The architecture is otherwise the same: commands written to smart contracts, bots polling public RPC endpoints, and C2 infrastructure that is hard to take down.

How Void Botnet appears to work

The listing, panel, and demonstration screenshots that follow are reproduced from a Russian-language cybercrime network where the seller advertises Void Botnet. As a result, some interface labels appear in Russian throughout the screenshots.

Figure 1. The Void Botnet listing, March 2026

Based on the seller's documentation and panel screenshots, Void Botnet is a Rust-native loader with two command-and-control modes in the same binary. The first mode routes commands through Ethereum smart contracts: the operator writes instructions to a contract, and infected machines check it at regular intervals, picking up new tasks within three to five minutes.

The second mode connects machines directly to the operator's web panel, with tasks completing in under thirty seconds. The operator switches between them at any time by updating the contract. The choice is a tradeoff between speed and resilience: the direct mode is faster, the blockchain-based C2 is harder to take down.

The panel shows each machine enrolled in the botnet together with its location, operating system, running antivirus product, and whether it has administrator access. Tasks can be pushed to individual machines or the entire fleet at once, with the option to filter by country when targeting a specific region.

Figure 2. Panel statistics showing 17 online bots and antivirus distribution

The C2 mechanism works on the same principle we documented in Aeternum C2: commands written to smart contracts, bots polling public RPC endpoints, no server to seize, and no domain to suspend. Void Botnet uses Ethereum rather than Polygon, but the takedown problem is identical.

Figure 3. Active connections view showing 23 registered bots, 7 March 2026

Inside the Void Botnet operator panel

The panel gives an operator a full toolkit for post-compromise work. Payloads can be delivered as executables, DLLs, MSI packages, or PowerShell scripts. A dedicated in-memory execution mode loads binaries directly into process memory without writing them to disk, bypassing defenses that rely on file-based detection.

For hands-on access, reverse shell and PowerShell tasks open interactive sessions on compromised machines while the panel continues processing other tasks in the background. SelfDelete and SelfUpdate allow the operator to remove or update the agent on demand.

Figure 4. Task type dropdown showing all fourteen available task types

The panel records the outcome of each task for each infected machine, so an operator can see at a glance which bots responded and which did not. In the seller's demonstration, an in-memory execution task sent to twenty-three machines completed successfully on fourteen with two failures; a payload delivery task succeeded on seventeen. During our analysis, live shell sessions were open on machines in the developer's demonstration environment, with terminal output visible.

Figure 5. Task execution history showing RunInMemory and ReverseShell results

Two blockchain botnets within one month

Aeternum and Void Botnet came from different developers, used different blockchains, and appeared only weeks apart, with no apparent connection to each other. The emergence of two independently developed blockchain-based botnets within such a short period suggests that blockchain C2 infrastructure is starting to become more popular among cybercriminals.

The practical problem here is that there is nothing to seize: a botnet using blockchain-based C2 doesn’t rely on any particular server, a domain registrar, or a single point that a takedown effort can reach. As a result, these botnets run longer, and the attacks they enable, including DDoS campaigns, credential stuffing, and proxy-as-a-service operations, are much harder to stop at the source. This makes proactive defensive measures, such as anti-bot protection and DDoS mitigation, increasingly important.

MITRE ATT&CK

The analyzed Void botnet demonstrates behavior associated with multiple MITRE ATT&CK techniques:

  • T1102 (Web Service) — Ethereum blockchain infrastructure is used as the primary C2 channel, with bots polling public RPC endpoints for encrypted smart contract commands.
  • T1071.001 (Application Layer Protocol: Web Protocols) — HTTP and HTTPS are used for centralized panel communication and blockchain RPC queries.
  • T1059.001 (Command and Scripting Interpreter: PowerShell) — ReversePowerShell provides live PowerShell sessions, DownloadAndRunPS1 executes delivered scripts, and PowerShell is used to decrypt and load assemblies for fileless persistence.
  • T1059.003 (Command and Scripting Interpreter: Windows Command Shell) — CMD Command and ReverseShell tasks enable one-time and persistent shell access.
  • T1620 (Reflective Code Loading) — the RunInMemory task executes native x32 and x64 binaries directly in process memory without writing them to disk.
  • T1053.005 (Scheduled Task/Job: Scheduled Task) — persistence is established through a scheduled task introduced in the v1.1 update.
  • T1140 (Deobfuscate/Decode Files or Information) — the bot assembly is stored in encrypted form and decrypted at runtime before memory execution.
  • T1090.002 (Proxy: External Proxy) — the ReverseProxy task routes traffic through compromised hosts without interrupting other bot operations.
  • T1082 (System Information Discovery) — the panel collects operating system version, build number, antivirus information, and administrative privilege status during bot registration.
  • T1070.004 (Indicator Removal: File Deletion) — the SelfDelete task removes the bot from the compromised system on operator instruction.

Operational Characteristics

The following indicators and operational characteristics were associated with the analyzed Void botnet infrastructure:

  • Developer handle — TheVoidStl
  • Operator alias — nikoniko
  • Related tools — TheVoidStealer, WallStealer, and Void Miner
  • First observed — March 2026
  • Build language — Rust (native implementation) and .NET Framework 4.8 (v1.1)
  • Pricing model — $600 one-time purchase with an additional $50 fee per build
  • C2 mechanism — Ethereum smart contracts used for decentralized command-and-control operations, alongside a centralized HTTP/HTTPS web panel infrastructure.

Get your Report

Full name *
Work email *
Job Title *
Company name *

I acknowledge and agree to the terms and conditions set forth in Qrator Labs’ Privacy Policy.

Survey

Share your experience and expectations regarding DDoS protection. Your answers will help us tailor solutions to meet your cybersecurity needs.

Tell us about your company’s infrastructure and critical systems. This will help us understand the scope of protection you require.

Help us learn about how decisions are made in your company. This information will guide us in offering the most relevant solutions.

Let us know what drives your choices when it comes to DDoS protection. Your input will help us focus on what matters most to you.

1/4. Questions about Awareness and Needs Questions about Infrastructure Questions about Decision-Making Questions about Motivation
What is most important to you when choosing an Anti-DDoS solution? (select multiple options)
Who in your company makes decisions about cybersecurity solutions?
What is your company's average internet traffic volume?
Mb
Have you encountered DDoS attacks before?
What key risks do you want to minimize with DDoS protection?
When do you plan to consider a solution for DDoS protection?
Which systems are critical for your business to protect? (select multiple options)
Does your company have a solution to protect against DDoS attacks?
What is your company’s primary type of activity?
What level of DDoS protection do you consider sufficient?
Team size:
Thank you for completing the survey!
Your participation will help us produce better market analytics.
To main page
Thank you for staying with us!
If the document does not load, please click the "Download" button. Help us better understand the market and prepare better analytics, take the survey.
To main page
Qrator Labs uses cookies to improve your experience, deliver personalized content and analyze our traffic. By clicking “Accept All” you agree to the storing of cookies on your device to enhance website navigation and analyze usage, assisting in our marketing efforts and improving user experience. You may modify your cookies settings at any time, as explained in our Cookie notice.

Cookies Preference Center

Strictly Necessary Cookies

Always Active

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information. Detailed information about this category of cookies can be found in the Cookie Policy.
Performance/Analytics Cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site and will not be able to monitor its performance. Detailed information about this category of cookies can be found in the Cookie Policy.
Targeting/Marketing Cookies
These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising. You may opt out of Targeting/Marketing cookies through the "Cookie settings" button. Detailed information about this category of cookies can be found in the Cookie Policy.
Functionality Cookies
These cookies enable the Website to provide enhanced functionality and personalization. Company sets some functionality cookies, while third party providers whose services Qrator Labs added to the website set the rest of these cookies. If you do not allow functionality cookies, then services relying on functionality cookies may not function properly.
Your subscription successfully activated
To main page
Type
Name
Email
Phone Number
Write your message