Aeternum Botnet Shifts Command Control to Polygon Blockchain

The cybersecurity community has watched a steady migration of command‑and‑control (C2) channels from traditional hosting services to decentralized ledgers. Early adopters such as the Glupteba botnet leveraged Bitcoin as a backup, but the immutable nature of blockchain data limited only its resilience, not its primary communication. Polygon, a layer‑2 solution on Ethereum, offers low‑cost, high‑throughput transactions, making it an attractive substrate for malicious actors seeking to avoid domain seizures and server takedowns. By embedding instructions in smart contracts, threat groups gain a globally replicated, censorship‑resistant conduit that law‑enforcement cannot simply shut down.

Aeternum, uncovered by Qrator Research Lab, implements this model with a native C++ loader available for both 32‑ and 64‑bit Windows. Infected hosts poll more than fifty RPC endpoints, retrieve the latest contract transaction, and execute payloads ranging from credential‑stealing DLLs to cryptocurrency miners. The operator’s web dashboard selects a contract, writes a command, and the transaction propagates across the Polygon network within two to three minutes. At roughly one US dollar in MATIC per 100‑150 commands, the service undercuts traditional botnet infrastructure costs while eliminating the need for rented servers or domain registrations.

For defenders, the shift to blockchain‑based C2 forces a reevaluation of takedown strategies. Since the command data is immutable and distributed, disrupting the botnet requires edge‑level traffic filtering, anomaly detection, and rapid incident response rather than reliance on sink‑holing or domain takedowns. Moreover, the low transaction fee lowers the barrier for criminal groups to launch large‑scale campaigns, potentially increasing the frequency of ransomware, cryptomining, and information‑stealing operations. Security teams must therefore invest in blockchain analytics, enrich threat intel with on‑chain indicators, and collaborate with network providers to mitigate the emerging risk.