Cybersecurity researchers have revealed details about a new botnet loader called Aeternum C2, which uses a blockchain-based command and control (C2) infrastructure to resist takedown efforts. Instead of relying on traditional servers or domains, Aeternum stores its instructions on the public Polygon blockchain, making its C2 infrastructure permanent and resistant to conventional takedown methods.
Aeternum C2: A New Generation of Crimeware
The Aeternum C2 botnet operates as a native C++ loader available in x32 and x64 builds. Its operation is based on writing commands directed to infected hosts in smart contracts on the Polygon blockchain. Infected bots read these commands by querying public remote procedure endpoints (RPCs).
Command control is done through a web panel, where customers can select a smart contract, choose a command type, specify the payload URL, and update it. The command is written to the blockchain as a transaction, becoming accessible to all compromised devices querying the network.
Aeternum C2 Key Features:
- Deletion Resistance: Once a command is confirmed, it cannot be altered or deleted, which guarantees the persistence of the botnet.
- Flexible Management: Operators can manage multiple smart contracts simultaneously, each serving different functions, such as clipper, stealer, RAT or miner.
- Anti-analysis functions: The malware incorporates functions to detect virtualized environments, making its forensic analysis difficult.
- Low Operational Costs: Operating costs are minimal. $1 worth of MATIC (Polygon’s native token) is enough for 100-150 command transactions, eliminating the need to rent servers or register domains.
Origin and Sale in Clandestine Forums
Details of Aeternum C2 first emerged in December 2025. A threat actor known as “LenAI” advertised the malware on underground forums as a crimeware service. Prices ranged from $200 for dashboard access and a configured build, to $4,000 for full C++ source code and future updates. LenAI subsequently attempted to sell the entire toolkit for $10,000, citing lack of time for support.
LenAI is also behind another crimeware solution called “ErrTraffic,” which automates ClickFix attacks by generating fake crashes on compromised websites to trick users into following malicious instructions.
DSLRoot: Residential Proxy Network for Malicious Traffic
In a related development, a clandestine service called DSLRoot has been discovered, which deploys dedicated laptop hardware into American homes to co-opt these devices into a residential proxy network. This network reroutes malicious traffic through residential IPs, making detection difficult.
DSLRoot Operation Details:
- Technical Components: The hardware runs a Delphi-based program called DSLPylon, capable of enumerating compatible modems and remotely controlling residential network equipment and Android devices through integration with the Android Debug Bridge (ADB).
- Business Model: The service is promoted on hacking forums under the alias “GlobalSolutions” (identified as Andrei Holas, a Belarusian citizen). Prices range from $190 per month to $1,750 for annual subscriptions.
- Scale and Reach: DSLRoot is estimated to operate approximately 300 active hardware devices in more than 20 US states, allowing customers to anonymously route traffic through residential IP addresses.
Conclusion
The emergence of Aeternum C2 and DSLRoot underscores the growing sophistication and resilience of cybercrime infrastructure. The use of decentralized technologies such as blockchain and the exploitation of legitimate residential networks to obfuscate traffic represent a significant security challenge, as traditional defenses based on malicious domain detection or centralized server infrastructure are ineffective.
Confidence
What would we do in these cases?
Defensive Cybersecurity | Protection and Response to Threats - Comfidentia
Defensive cybersecurity services: digital forensics, secure software development, vulnerability management, threat intelligence and incident response. Protect your networks and servers with our defensive security solutions.
Forensic Analysis
Discover the truth hidden in the data with our Forensic Analysis service. We collect, examine and thoroughly analyze every digital trace to reveal the root cause of any incident. Our team of experts follows the key steps: Identification, Acquisition, Analysis and Presentation of solid evidence. Don’t waste any more time searching for answers, trust our experience to reveal the evidence you need.
Vulnerability Management
Don’t risk the security of your company! With our Vulnerability Management solutions, you won’t just get a simple scan or risk assessment, but a complete assessment together with your team. Our approach goes further by proposing real and lasting solutions, adapted to the specific capabilities and needs of your business and systems.
Protect your Brand from Cyber Threats
Protect your business today with Brand Intelligence! Our specialized service provides you with valuable information about possible malicious actors trying to impersonate your brand or domain. By detecting these threats, you can take quick and effective measures to safeguard your company’s reputation. Don’t let cybercriminals damage your image, trust Brand Intelligence to keep your business safe at all times.
Secure Software Development
With our specialized tools and skills, you can create vulnerability-proof applications and programs from start to finish. Our approach is based on a robust model that includes secure design, development process, vulnerability management and information security. This ensures that your software is protected at every stage of the process. Source: See more at Comfidentia
Other related pages:
Schedule a presentation with Comfidentia
References
Original source: See original article