Aeternum Botnet Uses Polygon Blockchain as Takedown-Proof C2

Security researchers have documented a botnet loader that stores its command-and-control infrastructure on the Polygon blockchain, making traditional takedown efforts effectively impossible. Once commands are written to the chain, they become immutable—no domain seizures, no hosting provider abuse reports, no infrastructure to disrupt.

Aeternum C2, as the malware is called, represents an evolution in how attackers build resilient botnets. Details first emerged in December 2025 when Outpost24's KrakenLabs identified a threat actor named LenAI advertising the toolkit on underground forums.

How Blockchain C2 Works

Traditional botnets communicate with command servers that defenders can identify and take down. Aeternum sidesteps this by using Polygon smart contracts as the command channel:

1. Command publication — Operators write encrypted commands to smart contracts deployed on Polygon
2. Bot queries — Infected machines query public RPC endpoints to read the blockchain state
3. Command execution — Bots decrypt and execute retrieved instructions locally

The blockchain's immutability is the key innovation. Once a command transaction is confirmed on-chain, it cannot be altered or removed by anyone other than the wallet holder. Defenders can't file takedown requests with Polygon—there's no central authority to contact.

According to Qrator Labs' analysis, the operational economics are remarkably cheap: $1 worth of MATIC (Polygon's native token) covers 100 to 150 command transactions. No servers to rent, no domains to register, no hosting providers to evade. The entire C2 infrastructure lives on public blockchain infrastructure that defenders can read but cannot disrupt.

Inside the Aeternum Toolkit

The C2 panel is implemented as a Next.js web application, offering operators a modern interface to manage their botnet:

• Deploy multiple smart contracts simultaneously
• Select contract, command type, and payload URL
• Target all infected endpoints or specific subsets
• Deploy various payloads: clippers, stealers, RATs, cryptominers

The loader itself is native C++ with builds for both 32-bit and 64-bit Windows systems. Anti-analysis features include virtualization detection and integration with Kleenscan for antivirus evasion testing before deployment.

Pricing and Availability

LenAI initially offered two tiers:

• $200 — Panel access plus a configured build
• $4,000 — Complete C++ source code with ongoing updates

By February 2026, LenAI had reportedly attempted to sell the entire toolkit for $10,000, suggesting either an exit from the market or consolidation with other operations. The same threat actor also operates ErrTraffic, a ClickFix automation tool—a pattern we've tracked in previous ClickFix-related malware campaigns.

Why This Matters for Defenders

Traditional botnet takedowns rely on disrupting infrastructure: seizing domains, working with hosting providers to null-route C2 servers, or law enforcement operations against physical infrastructure. Blockchain-based C2 routes around all of these mechanisms.

Defenders can still:

• Block known Polygon RPC endpoints at the network perimeter (though this breaks legitimate blockchain applications)
• Detect and remove the loader from infected endpoints
• Monitor blockchain transactions to the known smart contracts for threat intelligence
• Use the blockchain's public nature to observe commands and prepare defenses

But the asymmetry has shifted. Operators can redeploy using the same contracts even after full remediation of all infected machines—nothing to rebuild, no infrastructure loss from takedowns.

Connection to Broader Malware Trends

Aeternum isn't the first malware to abuse blockchain infrastructure, but it represents a maturation of the technique. Previous blockchain-based C2 implementations were often experimental or unreliable. Aeternum's productized approach—web panel, multiple payload types, anti-analysis features—suggests the technique has crossed into mainstream malware operations.

This evolution parallels other infrastructure innovations we've tracked. The Dohdoor malware campaign similarly abused legitimate infrastructure (DNS-over-HTTPS) to tunnel C2 traffic through channels defenders can't easily block without breaking legitimate functionality. The ColdFusion Christmas attack demonstrated how attackers increasingly leverage distributed infrastructure to evade traditional network-based defenses.

Detection and Monitoring

Organizations should watch for:

• Unusual Polygon RPC traffic — Particularly from endpoints that shouldn't be interacting with blockchain infrastructure
• Known Aeternum indicators — Published IOCs include specific contract addresses and wallet identifiers
• Loader behavioral signatures — Anti-analysis checks, specific process injection techniques, Kleenscan interactions

Endpoint detection remains the primary defense. The blockchain infrastructure can't be taken down, but the malware running on endpoints can be detected and removed. Traditional defenses—EDR, network monitoring, user awareness—still apply; the C2 channel innovation doesn't change the fundamentals of endpoint compromise and remediation.

For security teams tracking the evolving malware landscape, our malware category covers ongoing developments in delivery mechanisms and infrastructure techniques. The Aeternum toolkit's blockchain approach may remain niche, or it may signal a broader shift in how attackers build resilient infrastructure—either way, defenders need to adapt their takedown strategies accordingly.