Unbreakable Command: How the Aeternum Botnet Hijacked the Blockchain

In the ever-evolving cat-and-mouse game between cybercriminals and defenders, a new player has upped the stakes. The Aeternum C2 botnet, recently dissected by cybersecurity researchers, has pioneered a chillingly resilient method of command-and-control - one that could redefine how botnets hide in plain sight. By embedding its instructions deep within the Polygon blockchain, Aeternum achieves a level of permanence and stealth that traditional takedown tactics simply can’t touch.

Traditional botnets rely on servers or domains for their command-and-control (C2) networks, making them vulnerable to takedown operations by law enforcement or vigilant security teams. But Aeternum C2, first advertised by the threat actor “LenAI” in late 2025, flips the script. Instead of ephemeral infrastructure, Aeternum writes its marching orders directly into smart contracts on the public Polygon blockchain - a decentralized ledger used by countless legitimate applications.

Here’s how the scheme works: Aeternum’s malware, available for both 32- and 64-bit Windows systems, polls the Polygon network for new smart contract transactions. When operators want to issue a command - whether it’s to deploy a stealer, miner, or remote access trojan - they encrypt the instruction and write it as a transaction to a chosen smart contract. Every infected device, querying public endpoints, deciphers the new orders and executes them. Since only the wallet holder can alter these transactions, and the blockchain is immutable, the C2 channel is effectively indestructible.

The entire operation is managed via a slick web-based panel, built on Next.js, allowing even modestly skilled criminals to deploy powerful malware campaigns. For a mere $200, aspiring botmasters can access the tool; for $4,000, the full source code is up for grabs. The cost to actually run the botnet? Practically pocket change - just a few dollars in MATIC tokens covers hundreds of commands.

Aeternum is loaded with anti-analysis tricks, like detecting virtual machines and offering customers tools to evade antivirus detection. Its creator, LenAI, even offered to sell the whole project for $10,000, citing time constraints and a new venture. Meanwhile, LenAI’s other offerings, like the ErrTraffic click fraud toolkit, underscore the growing professionalism and diversification of today’s cybercrime ecosystem.

While previous botnets have toyed with blockchain backup mechanisms, Aeternum represents a seismic shift: the full embrace of decentralized, censorship-resistant technology for malicious command infrastructure. As defenders scramble to adapt, one thing is clear - the rules of the cybercrime game are being rewritten, one irreversible transaction at a time.

WIKICROOK

• Botnet: A botnet is a network of infected devices remotely controlled by cybercriminals, often used to launch large-scale attacks or steal sensitive data.
• Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.
• Smart Contract: A smart contract is self-executing code on a blockchain that enforces rules and processes automatically, removing the need for a middleman.
• Polygon Blockchain: Polygon blockchain is a scalable, decentralized platform for fast, low-cost cryptocurrency transactions and decentralized applications, interoperable with Ethereum.
• Encrypted Command: An encrypted command is a coded instruction that needs a decryption key to be read and executed, protecting it from unauthorized access.