Aeternum C2, a newly detailed botnet loader, stores its commands directly on the Polygon blockchain, making its command-and-control infrastructure effectively immune to the takedown methods that typically neutralize malicious networks.
The discovery was reported by Qrator Labs, which found that instead of routing instructions through conventional servers or domains, Aeternum writes encrypted commands to smart contracts on Polygon, a public blockchain network also used by decentralized applications like Polymarket. Once a command is written into the blockchain as a transaction, it cannot be altered or removed by anyone except the wallet holder.
How the Infrastructure Works
The malware is a native C++ loader available in both x32 and x64 builds. Infected machines, acting as bots, retrieve their instructions by querying public remote procedure call (RPC) endpoints on the Polygon network. The entire operation is managed through a web-based panel built as a Next.js application, from which operators can deploy smart contracts, select command types, specify payload URLs, and target all compromised endpoints or individual ones.
The smart contracts contain a function that, when called by the malware via the Polygon RPC, returns the encrypted command. That command is then decoded and executed on the victim machine. Operators can run multiple smart contracts simultaneously, each serving a different payload such as a clipper, stealer, remote access trojan, or miner.
The operational costs are minimal. According to Qrator Labs, $1 worth of MATIC, Polygon’s native token, covers between 100 and 150 command transactions. No server rentals, domain registrations, or traditional infrastructure are required beyond a crypto wallet and a local copy of the panel.
Underground Pricing and the Threat Actor Behind It
Details of Aeternum C2 first surfaced in December 2025, when researchers at Outpost24’s KrakenLabs identified a threat actor operating under the name LenAI advertising the malware on underground forums. The pricing structure broke down as follows:
More Read
- $200 for panel access and a configured build
- $4,000 for the full C++ codebase with updates
- $10,000 for the entire toolkit, including resale and commercial use rights
LenAI has since attempted to offload the complete project to a single buyer, citing a lack of time for ongoing support and involvement in a separate project. A dark web forum post attributed to the actor included an offer to share development notes on features that were never implemented.
Anti-Analysis Features and Evasion
Aeternum includes checks to detect virtualized environments and gives customers the ability to scan their builds through Kleenscan, a service designed to verify that compiled malware evades detection by antivirus vendors. Both features are aimed at extending the operational lifespan of infections.
Blockchain-based C2 is not without precedent. In 2021, Google disrupted a botnet called Glupteba that used the Bitcoin blockchain as a backup mechanism to retrieve the address of its actual C2 server. Aeternum goes further by making the blockchain the primary and only infrastructure.
LenAI is also linked to a separate crimeware tool called ErrTraffic, which automates ClickFix attacks by generating fake error screens on compromised websites to manipulate users into executing malicious instructions.
This article is a curated summary based on third-party sources. Source: Read the original article
