• Home
  • cyber
  • TrickBot and Polygon: Aeternum C2 Infrastructure Exposed With Advanced Evasion Tactics
cyber Cyber Attack

TrickBot and Polygon: Aeternum C2 Infrastructure Exposed With Advanced Evasion Tactics

Mar 3, 2026 2 min read
TrickBot and Polygon: Aeternum C2 Infrastructure Exposed With Advanced Evasion Tactics

Aeternum C2: The First Botnet Leveraging Polygon Blockchain for Unstoppable Command-and-Control

Researchers at Qrator Research Lab have uncovered Aeternum C2, a new botnet loader that eliminates a long-standing weakness in cybercriminal operations: centralized command-and-control (C2) infrastructure. Unlike traditional botnets such as Emotet, TrickBot, and QakBot, which have been disrupted by seizing servers or domains Aeternum stores its commands directly on the Polygon blockchain, making takedowns nearly impossible.

How Aeternum Works

Instead of relying on hardcoded IPs, DNS domains, or peer-to-peer networks, Aeternum embeds instructions within smart contracts on Polygon. Infected devices retrieve commands by querying public RPC endpoints, blending malicious activity with legitimate blockchain traffic. Since the blockchain is decentralized and immutable, there is no single point of failure for defenders to target.

Key features include:

  • Blockchain-based C2: Commands are stored in smart contracts, distributed across thousands of nodes, and retrieved via RPC queries.
  • Multi-payload flexibility: Operators can deploy different malware types (clippers, RATs, miners, DLL loaders) through separate smart contracts.
  • Targeted tasking: A "ping" function collects hardware IDs and user-agent strings, enabling precise bot management.
  • Low operational costs: A single $1 in MATIC can fund 100–150 command transactions, with no hosting or domain fees required.
  • Anti-analysis protections: The loader includes anti-VM checks and integrates Kleenscan API to test builds against antivirus detection before deployment.

Why This Matters

Aeternum’s blockchain-based model removes traditional intervention points, forcing defenders to rethink takedown strategies. Even if malware is removed from infected systems, the underlying smart contracts remain active, allowing operators to reactivate campaigns at will. Security experts warn that this approach could become a blueprint for future botnets, shifting the focus from infrastructure disruption to proactive network-level detection.

The discovery highlights a major evolution in botnet resilience, with implications for how cybersecurity teams monitor and mitigate emerging threats.

Source: https://cyberpress.org/aeternum-c2-evasion-exposed/

The DFIR Report cybersecurity rating report: https://www.rankiteo.com/company/the-dfir-report

Polygon Labs cybersecurity rating report: https://www.rankiteo.com/company/polygon-labs

"id": "THEPOL1772519153",
"linkid": "the-dfir-report, polygon-labs",
"type": "Cyber Attack",
"date": "3/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"
{'affected_entities': [{'type': 'Organizations/Individuals with infected '
                                'devices'}],
 'attack_vector': 'Blockchain-based smart contracts (Polygon RPC endpoints)',
 'description': 'Researchers at Qrator Research Lab have uncovered Aeternum '
                'C2, a new botnet loader that eliminates centralized '
                'command-and-control (C2) infrastructure by storing commands '
                'on the Polygon blockchain. Unlike traditional botnets, '
                'Aeternum embeds instructions within smart contracts, making '
                'takedowns nearly impossible. Infected devices retrieve '
                'commands via public RPC endpoints, blending malicious '
                'activity with legitimate blockchain traffic. The botnet '
                'supports multi-payload flexibility, targeted tasking, low '
                'operational costs, and anti-analysis protections.',
 'impact': {'operational_impact': 'Potential deployment of malware (clippers, '
                                  'RATs, miners, DLL loaders)',
            'systems_affected': 'Infected devices (botnet nodes)'},
 'lessons_learned': 'Aeternum’s blockchain-based model removes traditional '
                    'intervention points, forcing defenders to rethink '
                    'takedown strategies. Even if malware is removed from '
                    'infected systems, the underlying smart contracts remain '
                    'active, allowing operators to reactivate campaigns at '
                    'will.',
 'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring for '
                                                  'blockchain RPC traffic and '
                                                  'proactive detection of '
                                                  'smart contract-based '
                                                  'malware commands',
                            'root_causes': 'Decentralized and immutable nature '
                                           'of blockchain-based C2 '
                                           'infrastructure'},
 'recommendations': 'Shift focus from infrastructure disruption to proactive '
                    'network-level detection of blockchain-based C2 activity.',
 'references': [{'source': 'Qrator Research Lab'}],
 'response': {'enhanced_monitoring': 'Proactive network-level detection '
                                     'recommended'},
 'title': 'Aeternum C2: The First Botnet Leveraging Polygon Blockchain for '
          'Unstoppable Command-and-Control',
 'type': 'Botnet'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.