Qrator Research Lab has uncovered Aeternum — a native C++ botnet loader that uses the Polygon blockchain as its primary and only command-and-control channel. Unlike predecessors like Glupteba that used blockchain as a fallback, Aeternum makes the blockchain the sole C2 infrastructure. There are no servers to seize, no domains to sinkhole.
Why This Matters
- Cost to operate: ~$1 in MATIC tokens commands thousands of bots
- Command delivery: 2–3 minutes to reach all infected devices
- Active: October 2025 – present
- Price: $200 for panel access, $4,000 for full source code
How It Works
The infected machine calls a Polygon RPC endpoint using standard eth_call JSON-RPC. It invokes getDomain() (selector 0xb68d1809) on a deployed smart contract, which returns an AES-256-GCM encrypted command. The malware decrypts it locally and executes.
// JSON-RPC pattern
{
"method": "eth_call",
"params": [{
"to": "0x4d70C3393C5d9EC325Edf8b3f289cFA9777e64B0",
"data": "0xb68d1809"
}, "latest"]
}
Command Syntax
all:url:<URL> // Universal payload execution
all:savestartupname:<NAME>:url:<URL> // Payload + persistence
hwid:url:<URL> // Targeted by host ID
Encryption
- Algorithm: AES-256-GCM
- Key derivation: PBKDF2-HMAC-SHA256, 100,000 iterations
- Key material: Lowercase smart contract address (salt + password)
- Critical weakness: Contract address is public — defenders can decrypt all commands
Anti-Analysis & Evasion
- CPUID check: Thermal MSRs absent on hypervisors → terminate
- SMBIOS enumeration: VMs have fewer than 10 BIOS characteristics bits
- USB registry check: Sandboxes have zero USB devices
- Geofencing: Blocks execution on Russian-locale systems (lang ID 1049)
- String obfuscation: Per-string XOR with unique keys
- API resolution: CRC32/DJB2 hashing to avoid plaintext API names
Persistence & Execution
-
Install path:
AppData\Local\wmi[HOST_ID]\wmi_[HOST_ID].exe -
Persistence:
.lnkin Startup folder - DLL payloads: Memory-only (fileless), manual PE mapping
- EXE payloads: PPID spoofing to explorer.exe
-
Self-deletion: NTFS ADS rename to
:wtfbbq
Why Takedowns Fail
- No servers to seize — commands live across thousands of validator nodes
- No domains to sinkhole — uses public Polygon RPC endpoints
- Immutable records — blockchain transactions cannot be deleted
- $1 MATIC to command thousands of bots
Detection & Hunting
Network
-
eth_callJSON-RPC from non-crypto workstations - Function selector
0xb68d1809in payloads - User-Agent
Mozilla/5.0 Chrome 120.0.0.0from non-Chrome processes
Host
- File paths:
AppData\Local\wmi*\wmi_*.exe - Unexpected
.lnkin Startup folder - NTFS ADS
:wtfbbqstream - PPID spoofing indicators
MITRE ATT&CK
| ID | Technique | Usage |
|---|---|---|
| T1071.001 | Web Protocols | JSON-RPC to Polygon RPC |
| T1008 | Fallback Channels | Multiple smart contracts |
| T1140 | Deobfuscate/Decode | AES-256-GCM, XOR |
| T1497 | Sandbox Evasion | CPUID, SMBIOS, USB checks |
| T1547.001 | Startup Folder | .lnk persistence |
| T1134 | Token Manipulation | PPID spoofing |
| T1070.004 | File Deletion | NTFS ADS self-deletion |
IOCs
Smart Contract & Wallets
Contract: 0x4d70C3393C5d9EC325Edf8b3f289cFA9777e64B0
Wallet 1: 0xcaf2c54e400437da717cf215181b170f65187abf
Wallet 2: 0x6e3c232c3c61dfce05e677cc351b3d0d677ee49b
Malware URLs
github[.]com/caldop/test/raw/refs/heads/main/Logs.exe
l[.]station307[.]com
zalupan[.]kozow[.]com:3000/files/zalupan2.exe
rpc-framework-check[.]cfd/
Threat Actor: LenAI
Operator alias LenAI, also runs ErrTraffic (ClickFix toolkit). Same Polygon wallet used for both. Russian-locale geofence suggests Russia/CIS-based operator.
Mitigation
- Block blockchain RPC endpoints from non-authorized workstations
- Monitor
eth_calltraffic — highly anomalous from standard endpoints - Watch for
wmi*directories in AppData - Detect PPID spoofing via ETW
- Decrypt commands proactively — contract address = key material
Sources: Hackread | The Hacker News | Ctrl-Alt-Int3l
Need help assessing your exposure? Request a free penetration test — currently in open beta.
Top comments (0)