What Happened

On February 26, 2026, security researchers disclosed a botnet loader named Aeternum C2 that uses the Polygon blockchain as its command-and-control (C2) channel.

Instead of contacting a normal C2 server (a domain or IP), infected systems pull encrypted commands directly from data embedded inside blockchain transactions.

This makes the C2 infrastructure:

• Persistent (data cannot be deleted)
• Decentralized (no single server to seize)
• Resistant to domain takedown
• Hard to disrupt without blocking blockchain access entirely

This is not the first time criminals experimented with blockchain-based C2, but Aeternum is notable because it operationalizes it at scale and automates transaction parsing in a stable, repeatable loader framework.

---

What Aeternum C2 Actually Is

Aeternum C2 is not the full botnet payload. It is:

A lightweight loader whose only job is to retrieve encrypted commands from Polygon, decrypt them, and execute secondary payloads.

Think of it as a “delivery and instruction engine” rather than the malware that steals data itself.

Core characteristics:

• Written in C++ and .NET variants observed
• Obfuscated with control-flow flattening
• API hashing to avoid static detection
• String encryption for wallet addresses and decryption keys
• Uses HTTPS RPC endpoints for blockchain queries

---

How It Works

Stage 1 — Initial Infection

Victim executes dropper (details below).

Stage 2 — Loader Execution

The Aeternum loader:

1. Establishes persistence
2. Contacts a Polygon RPC endpoint
3. Queries specific wallet address transaction history
4. Extracts hex-encoded data from transaction input field
5. Decrypts data using embedded AES key
6. Validates payload using SHA256 checksum
7. Executes next-stage payload in memory

No traditional C2 server is contacted.

---

Initial Access Vector

Based on telemetry patterns and malware distribution campaigns, initial infection methods likely include:

Observed Distribution Channels

• Malicious cracked software installers
• Fake crypto wallet updates
• Trojanized trading tools
• Malicious browser extension installers
• Phishing emails with ZIP/ISO attachments
• Malvertising redirects

Most Common Vector Observed

Fake Web3 / crypto trading tools distributed through:

• Telegram channels
• Discord groups
• Fake GitHub repositories
• Sponsored search ads

---

Vulnerabilities Exploited

No zero-day exploitation observed so far.

Infections rely primarily on:

• User execution (social engineering)
• Masquerading as legitimate crypto tools
• Signed binaries using stolen code-signing certificates (in limited cases)

No confirmed exploitation of RCE vulnerabilities in this wave.

---

Persistence Mechanisms

Aeternum loader establishes persistence using:

Windows Registry Run Key

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Aeternum

Scheduled Task

\Microsoft\Windows\UpdateCheckService

Startup Folder Drop

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\update.exe

Some variants use:

• WMI permanent event subscriptions
• COM hijacking

---

Payloads Delivered

The loader is modular. Observed second-stage payload types:

1. Info-Stealers

• Chromium credential harvesting
• Crypto wallet file extraction
• Clipboard monitoring
• Discord token theft

2. Crypto Drainers

• Injects malicious Web3 scripts
• Replaces wallet addresses in clipboard

3. RAT (Remote Access Trojan)

• Keylogging
• Screenshot capture
• File upload/download
• Reverse shell over HTTPS

4. Proxy Module

• Turns victim into residential proxy node

5. Crypto Miner (limited cases)

• XMRig-based module

---

Encryption & Obfuscation

Commands on-chain are:

• AES-256 encrypted
• Base64 encoded
• Embedded in transaction input data

Loader uses:

• Hardcoded AES key (rotates periodically)
• XOR string decryption for wallet addresses
• Delayed execution (sleep 300–900 seconds randomized)
• Sandbox evasion checks:
  • Low RAM detection (< 4GB)
  • VM artifacts
  • No user interaction detection

---

Anti-Malware Evasion

Aeternum employs:

• In-memory execution (no dropped payloads)
• Indirect syscalls
• AMSI patching in .NET variant
• Defender exclusion attempts: powershell Add-MpPreference -ExclusionPath

Some builds attempt to disable:

• Windows Defender real-time monitoring
• Event tracing for Windows (ETW)

---

Indicators of Compromise (IOCs)

Blockchain Indicators

• Repeated RPC queries to: polygon-rpc.com
  rpc-mainnet.matic.network
• High-frequency POST requests to JSON-RPC endpoints

Suspicious Wallet Pattern

Wallets with:

• Small recurring transactions
• Consistent hex payload size (~800–1500 bytes)
• Periodic transaction bursts

---

File Hash Patterns (Behavioral, not exact hashes)

Loader characteristics:

• PE size: 150–350 KB
• High entropy sections
• No version info
• Compiled with recent MSVC runtime

---

Mutex Observed

Global\AETERNUM_LOCK_01
Global\MTX_POLY_C2

---

Network Patterns

User-agent anomalies:

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36

(with static minor version numbers)

Beaconing interval:

• 5–15 minutes randomized

---

What Has Been Impacted

Primary targets:

• Crypto traders
• Web3 developers
• NFT communities
• DeFi users
• Windows home users

Enterprise impact observed in:

• Small fintech firms
• Crypto startups
• Marketing agencies handling Web3 campaigns

No confirmed impact on large critical infrastructure sectors so far.

---

Why Traditional Takedown Fails

Because the command data lives permanently on Polygon:

• Law enforcement cannot seize a server
• Blockchain nodes cannot selectively delete transactions
• Even if wallet is flagged, data remains accessible

Only mitigation options:

• Detect and block loader behavior
• Monitor RPC traffic
• Disrupt endpoints

---

Detection Engineering Guidance

Sigma Rule

title: Suspicious Polygon RPC Communication from Non-Web3 Host
logsource:
  category: network_connection
detection:
  selection:
    DestinationHostname|contains:
      - polygon-rpc.com
      - matic.network
  condition: selection
falsepositives:
  - legitimate blockchain applications
level: medium

---

EDR Detection Logic

Flag process if:

• Non-browser process initiates repeated HTTPS POST to Polygon RPC
• Followed by:
  • Memory allocation + RWX permissions
  • CreateRemoteThread
  • Suspicious PowerShell spawn

---

Threat Hunting Queries

Hunt 1: Unusual Blockchain Traffic

Look for endpoints:

• Finance department machines contacting Polygon
• Systems without crypto software querying RPC endpoints

---

Hunt 2: Memory Injection Pattern

Search for:

• VirtualAlloc with PAGE_EXECUTE_READWRITE
• Followed by WriteProcessMemory
• Followed by CreateThread

---

Hunt 3: Registry Persistence

Query:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

for unexpected entries referencing random-named executables.

---

Incident Response Playbook

If Aeternum infection suspected:

1. Isolate host immediately
2. Dump memory for forensic review
3. Extract wallet address queried by malware
4. Block RPC domains at firewall
5. Rotate all credentials
6. Revoke crypto wallet access
7. Check lateral movement
8. Hunt across environment

---

Risk Outlook

This marks a shift toward:

• Decentralized criminal infrastructure
• “Untakedownable” C2 channels
• Blending cybercrime with blockchain systems

We should expect:

• Expansion to other EVM-compatible chains
• Smart-contract triggered payloads
• Multi-chain fallback mechanisms

---

Executive Summary

Aeternum C2 is dangerous not because it steals data differently — but because it hides its instructions somewhere that cannot be taken down.

Instead of calling a criminal server, infected computers read commands from the Polygon blockchain. Since blockchains are permanent and decentralized, there’s nothing to seize.

This forces defenders to stop thinking about “taking down servers” and instead focus on detecting malicious behavior on endpoints and monitoring abnormal blockchain communication patterns.

---