Aeternum C2

Aeternum C2 is a botnet loader that uses a blockchain-based command-and-control architecture hosted on the public Polygon blockchain, making it more resistant to traditional takedown methods than server- or domain-based C2. Researchers reported that operators write commands into Polygon smart contracts, and infected systems retrieve those instructions through public RPC endpoints. The malware is described as a native C++ loader available in both 32-bit and 64-bit builds and managed through a web-based panel that allows operators to select smart contracts, choose command types, specify payload URLs, and target either all infected endpoints or specific victims. Reported payload/use cases include delivery of malware such as clippers, stealers, RATs, and miners, and the malware has also been referenced as being used in DDoS operations. Anti-analysis and evasion features mentioned in reporting include virtualization checks and the ability for customers to scan builds with Kleenscan to reduce antivirus detection. Qrator Labs stated that the low operating cost of Polygon transactions allows roughly 100 to 150 command transactions for about $1 worth of MATIC. The malware was advertised on underground forums by a threat actor identified as LenAI, with reported pricing ranging from $200 for panel access and a configured build to higher-priced offers for the full C++ codebase; LenAI later attempted to sell the entire toolkit for $10,000. Outpost24 KrakenLabs disclosed details in December 2025, and subsequent reporting by Qrator Labs and Ctrl Alt Intel further described the panel and on-chain command flow. High-confidence associations in the provided content link Aeternum C2 to decentralized botnet activity and increased difficulty of disruption due to its use of Polygon-based smart contracts rather than conventional C2 infrastructure.