Skip to main content
HashnodeThe Insider X - AI Security

Command Palette

Search for a command to run...

Aeternum C2: The Botnet That Lives on the Polygon Blockchain

Published
2 min read
D
DeepSeaX
Building the future of cybersecurity with AI. Free pentest at theinsider-x.com

Qrator Research Lab has uncovered Aeternum — a native C++ botnet loader that uses the Polygon blockchain as its primary and only command-and-control channel. Unlike predecessors like Glupteba that used blockchain as a fallback, Aeternum makes the blockchain the sole C2 infrastructure. There are no servers to seize, no domains to sinkhole.

Why This Matters

  • Cost to operate: ~$1 in MATIC tokens commands thousands of bots
  • Command delivery: 2–3 minutes to reach all infected devices
  • Active: October 2025 – present
  • Price: $200 for panel access, $4,000 for full source code

How It Works

The infected machine calls a Polygon RPC endpoint using standard eth_call JSON-RPC. It invokes getDomain() (selector 0xb68d1809) on a deployed smart contract, which returns an AES-256-GCM encrypted command.

{"method": "eth_call", "params": [{"to": "0x4d70C3393C5d9EC325Edf8b3f289cFA9777e64B0", "data": "0xb68d1809"}, "latest"]}

Encryption

  • AES-256-GCM with PBKDF2-HMAC-SHA256 (100k iterations)
  • Key = lowercase contract address
  • Critical weakness: defenders can decrypt all commands

Anti-Analysis

  1. CPUID thermal MSR check (VM detection)
  2. SMBIOS enumeration
  3. USB registry check (sandbox detection)
  4. Russian-locale geofencing (lang ID 1049)
  5. Per-string XOR obfuscation
  6. CRC32/DJB2 API hashing

Persistence

  • Install: AppData\Local\wmi[HOST_ID]\wmi_[HOST_ID].exe
  • .lnk in Startup folder
  • DLL: fileless via manual PE mapping
  • EXE: PPID spoofing to explorer.exe
  • Self-delete: NTFS ADS :wtfbbq

Why Takedowns Fail

  • No servers to seize
  • No domains to sinkhole
  • Immutable blockchain records
  • $1 MATIC = thousands of commands

IOCs

Contract: 0x4d70C3393C5d9EC325Edf8b3f289cFA9777e64B0
Wallet: 0xcaf2c54e400437da717cf215181b170f65187abf
github[.]com/caldop/test/raw/refs/heads/main/Logs.exe
zalupan[.]kozow[.]com:3000/files/zalupan2.exe

MITRE ATT&CK

T1071.001, T1008, T1140, T1497, T1547.001, T1134, T1070.004, T1105

Sources: Hackread | Hacker News

Need help? Request a free penetration test — currently in open beta.

#blockchain#botnet#cybersecurity#malware

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

T

DeepSeaX

49 posts