AETERNUM is a botnet that hides its command-and-control instructions in smart contracts on the Polygon blockchain, according to Qrator Labs. By decentralising its C2, the malware aims to be harder to detect and disrupt, avoiding traditional server-based takedowns and increasing resilience in the wild.
Infected machines poll public RPC endpoints to read on-chain instructions, which operators manage through a web dashboard by selecting a contract, choosing an action, adding a payload URL, and sending the command as a blockchain transaction; once confirmed, the instruction becomes immutable and visible to all infected hosts. Operators can run multiple contracts with different payloads such as stealers, clippers, RATs or miners, and a ping feature tracks active infections using hardware IDs and HTTP fingerprinting.
The model moves away from server-based takedowns, with blockchain-based C2 replication across thousands of nodes and no central server to seize, and past cases like Glupteba have shown blockchain as a backup channel, whereas Aeternum makes it the primary channel.
The malware can be purchased as a lifetime package or as full C++ source code, with a claimed operating cost of about $1 in MATIC for over 100 blockchain command transactions, and it includes anti-VM checks and a built-in AV scanner to test detection rates before deployment, claimed to yield undetected results on major engines such as CrowdStrike, Avast, Avira and ClamAV in a point-in-time snapshot.