Malware & Threats Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Aeternum operates on smart contracts, making its command-and-control (C&C) infrastructure difficult to disrupt. By Ionut Arghire | February 27, 2026 (7:02 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Qrator Labs has shared details on Aeternum C2, a recently discovered botnet loader that relies on the Polygon blockchain for command-and-control (C&C), thus improving its resilience against takedowns. The malware was first spotted in December 2025, after a threat actor started advertising it on underground forums as operating fully on smart contracts. The threat actor claimed that commands were delivered to bots encrypted, via multiple RPC (remote procedure call) networks, and validated before execution, completely removing the need for central infrastructure. The malware was also advertised with anti-VM checks, AV scanning, and support for executing various types of payloads, and was offered at $200 for a lifetime license with panel and build access, or at $4,000 for the full C++ source and ongoing updates. Bot management is available through a web-based panel that provides the operator with the option to update the available smart contracts with new commands and payloads, Qrator Labs notes . The commands reach the bots within a few moments. To retrieve them, the bots query public RPC endpoints to read the available smart contracts. Advertisement. Scroll to continue reading. Aeternum also packs a scantime AV scanner, which allows the operators to verify their builds against 37 antivirus engines via the Kleenscan API, Qrator Labs explains. The main selling point of the botnet, however, is the use of the Polygon blockchain for C&C communication. As Qrator Labs points out, this makes Aeternum’s infrastructure permanent and increases its resilience against takedowns. The Polygon blockchain is used by numerous decentralized applications, including the world’s largest prediction market, Polymarket, and its use incurs almost no cost for Aeternum’s operators. “The operational costs are negligible: $1 worth of MATIC, the native token of the Polygon network, is enough for 100 to 150 command transactions. The operator doesn’t need to rent servers, register domains, or maintain any infrastructure beyond a crypto wallet and a local copy of the panel,” Qrator Labs notes. The Glupteba botnet , which was the target of a takedown effort in December 2021 but remained active and resurged due to its use of the Bitcoin blockchain as a backup C&C channel, illustrates the risks associated with botnets’ use of decentralized networks. “Whether or not Aeternum itself becomes widely adopted, blockchain-based command and control is now a turnkey product on the underground market. The model is sound, and other malware developers will iterate on it,” Qrator Labs notes. Related: New ‘SSHStalker’ Linux Botnet Uses Old Techniques Related: GoBruteforcer Botnet Targeting Crypto, Blockchain Projects Related: Kimwolf Android Botnet Grows Through Residential Proxy Networks Related: RondoDox Botnet Exploiting React2Shell Vulnerability Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Cisco Patches Catalyst SD-WAN Zero-Day Exploited by Highly Sophisticated Hackers SolarWinds Patches Four Critical Serv-U Vulnerabilities Ex-US Defense Contractor Executive Jailed for Selling Exploits to Russia CarGurus Data Breach Impacts Over 12 Million Users Astelia Raises $35 Million for Exposure Management Ad Tech Company Optimizely Targeted in Cyberattack ‘Arkanix Stealer’ Malware Disappears Shortly After Debut New ‘Sandworm_Mode’ Supply Chain Attack Hits NPM Latest News Juniper Networks PTX Routers Affected by Critical Vulnerability Critical Flaws Exposed Gardyn Smart Gardens to Remote Hacking Apple iPhone and iPad Cleared for Classified NATO Use Four Risks Boards Cannot Treat as Background Noise Claude Code Flaws Exposed Developer Devices to Silent Hacking Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move BreachRx has named Young-Sae Song as Chief Marketing Officer. Titania has appointed Andrew Woodford as Chief Technology Officer. Menlo Security has named Bill Robbins as Chief Executive Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email