Researchers Unveil Aeternum C2 Infrastructure with Superior Evasion and Persistence Ways

For years, defenders have relied on a easy technique to dismantle botnets discover and seize their command-and-control (C2) servers.

That weak point enabled international legislation enforcement operations to disrupt huge botnets resembling Emotet, TrickBot, and QakBot. However a newly recognized C2 framework, Aeternum, could render these ways out of date.

As a substitute of utilizing centralized servers or domains, Aeternum writes each command resembling payload supply or configuration updates to good contracts. Contaminated machines then question public RPC (distant process name) endpoints to fetch directions.

This design makes Aeternum’s management infrastructure successfully everlasting. Transactions saved on the blockchain can’t be censored, modified, or seized, and are replicated throughout hundreds of nodes worldwide.

Researchers at Qrator Analysis Lab found Aeternum a C++ botnet loader that operates fully by means of the Polygon blockchain.

Conventional takedown strategies like null-routing IPs or suspending malicious domains don’t apply.

Contained in the Aeternum Panel

Screenshots from underground boards present a sophisticated internet dashboard the place operators can choose lively good contracts, subject new instructions, and observe contaminated gadgets. Command propagation seems extremely environment friendly: all on-line bots obtain updates inside minutes.

The vendor claims all on-line bots obtain new instructions inside two to 3 minutes, which might evaluate favourably to peer-to-peer botnets the place command propagation could be sluggish and unreliable.

A successful command transaction on the Polygon blockchain (Source : Qrator). — A profitable command transaction on the Polygon blockchain (Supply : Qrator).

Every command transaction, as soon as written to the blockchain, turns into immutable. Operators can handle a number of contracts concurrently, every linked to distinct payloads resembling info stealers, cryptocurrency miners, or RATs.

Particular person bots may even be focused by {hardware} ID (HWID), permitting exact marketing campaign management.

The emergence of blockchain-based C2 follows earlier experiments, resembling Glupteba, which used Bitcoin transactions to retailer backup area information.

Whereas Glupteba primarily relied on conventional HTTPS servers (which Google disrupted in 2021), Aeternum eliminates that dependency fully. It has no centralized fallback, that means there’s no typical infrastructure for defenders to grab.

As a result of instructions reside completely on a decentralized ledger, any contaminated gadget can retrieve them through greater than 50 Polygon RPC gateways.

Internet hosting suppliers can null-route IPs. Regulation enforcement can seize bodily servers. Even P2P botnets have been disrupted by poisoning their routing tables or sinkholing recognized friends.

The built-in RPC endpoint checker showing working Polygon nodes (Source : Qrator). — The built-in RPC endpoint checker displaying working Polygon nodes (Supply : Qrator).

Even when safety groups take away the malware from each endpoint, the underlying management logic persists on-chain and stays reusable for future assaults.

Implications

The Aeternum equipment is offered on darknet marketplaces as both a lifetime license or full supply code. Its working value is minimal round $1 in MATIC tokens covers over 100 command updates. That negligible expense sharply lowers the barrier for cybercriminals searching for long-lasting management networks.

The contract management panel showing 13 active smart contracts (Source : Qrator). — The contract administration panel displaying 13 lively good contracts (Supply : Qrator).

To evade detection, Aeternum integrates anti-virtual machine checks, stopping execution in sandboxed environments.

It additionally features a scantime antivirus scanner utilizing the Kleenscan API, letting attackers confirm undetectability throughout dozens of safety engines earlier than deployment.

Safety specialists warn that as related frameworks emerge, defenders might want to adapt focusing much less on takedowns on the supply and extra on proactive DDoS mitigation and site visitors filtering on the community edge. Within the age of immutable infrastructure, the battlefield is shifting from servers to the blockchain itself.

Aeternum represents a big escalation within the arms race between cybercriminals and defenders. Blockchain-based C2s may usher in a brand new class of persistent, infrastructure-less botnets, tougher to sinkhole or disrupt.