AISEC > Security News > Malware > Aeternum C2 Botnet Uses Polygon Blockchain for Command Control
February 26, 2026 #malware Source: The Hacker News 2 min read · 500 words

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedown

Botnet Aeternum C2 зберігає зашифровані команди на блокчейні Polygon, щоб уникнути розпорядження

What We Know

Security researchers have identified an active botnet called Aeternum C2 that's doing something we haven't seen much of before: storing encrypted command-and-control instructions directly on the Polygon blockchain. According to The Hacker News, this discovery marks a significant shift in how threat actors are building infrastructure that's deliberately resistant to law enforcement and security company takedowns.

The botnet is operational right now. Not theoretical, not a proof-of-concept—it's actively compromising systems and maintaining persistence through an architecture that traditional mitigation won't easily dismantle.

Frankly, this is the kind of innovation in the malware space that keeps threat intelligence teams awake at night.

How It Works

Here's the technical breakdown: Instead of hosting command-and-control servers on traditional infrastructure—which means registrars, hosting providers, IP addresses that can be blocked or seized—Aeternum stores its encrypted instructions on Polygon, a Layer 2 Ethereum blockchain network.

Why does this matter?

Because blockchain transactions are immutable, distributed, and decentralized. Once a command is posted, it's there. Permanently. Across thousands of nodes. You can't just request a takedown. You can't seize a server. You can't pull DNS records. The attacker posts encrypted payloads, infected systems query the blockchain for updates, decrypt them locally, and execute. It's elegant. It's resilient. And it's a problem.

The encrypted nature means detection is harder too. Security teams scanning traffic see blockchain queries—which happen all the time from legitimate sources—rather than obvious malicious C2 beaconing patterns.

Why It Matters

This isn't just a technical curiosity. This is a demonstrated proof that the line between legitimate blockchain infrastructure and malicious command infrastructure has become dangerously blurry.

Traditional incident response playbooks assume you can disrupt a botnet by taking down its C2 infrastructure. Aeternum breaks that assumption.

And there's a second problem hiding in here: blockchain analysis is expensive, slow, and requires specialized expertise. Most security operations centers aren't set up to track malicious activity across distributed ledgers. When attackers start using public, immutable networks as their operational backbone, detection and response become orders of magnitude harder. Your SOC's standard playbooks? Largely useless.

This is particularly nasty because Polygon is a legitimate, widely-used network with billions in transaction volume. Filtering out actual malicious activity becomes a needle-in-a-haystack problem.

Next Steps

If you're running a security program, here's what you should do immediately. First, expand network monitoring to include blockchain network queries from internal systems—particularly any outbound connections to Polygon RPC endpoints or public nodes. This isn't standard practice yet, but it needs to be.

Second, work with your threat intelligence provider to get indicators of compromise related to Aeternum C2. The Hacker News article will likely contain hashes, wallet addresses, or other forensic markers that your security team can use for retrospective hunting.

Third, patch your systems aggressively. Aeternum, like any botnet, depends on vulnerable hosts to establish initial compromise. You can't block blockchain infrastructure, but you can make sure there's nothing for it to infect on your network in the first place.

And finally, start thinking now about how your incident response plan handles decentralized C2 infrastructure. Because this isn't going to be the last botnet to do this.

Read original article →

// FAQ

Can law enforcement take down Aeternum C2 if it's on the blockchain?

No, not through traditional C2 takedown methods. Law enforcement could potentially prosecute the operators if identified, but the blockchain infrastructure itself—being distributed and immutable—cannot be seized or disrupted the way centralized servers can be.

How do I know if my system is infected with Aeternum C2?

Look for outbound connections to Polygon blockchain nodes (check your firewall logs for queries to Polygon RPC endpoints), unexpected process behavior, or the presence of known Aeternum samples detected by your antivirus. Run threat intelligence IOC scans against The Hacker News report for specific indicators.

Why would attackers use Polygon instead of other blockchains?

Polygon offers fast transaction times, low costs, and massive adoption without the scrutiny of Bitcoin or Ethereum. It's legitimate enough to blend in with regular traffic, but decentralized enough to be untouchable.

// RELATED

#malware Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration 2026-02-25 #malware Fake Next.js job interview tests backdoor developer's devices 2026-02-25 #malware MuddyWater Targets MENA Organizations with GhostFetch, CHAR, and HTTP_VIP 2026-02-23

Concerned about your project's security? Run an automated pentest with AISEC — AI-powered scanner with expert verification. Go to dashboard →