A botnet stores commands on public blockchain, eliminating the infrastructure that traditional remediation targets.
In late February 2026, researchers at Qrator Labs disclosed a botnet loader that represents a structural challenge for takedown operations. The malware, called Aeternum C2, stores its commands on the Polygon blockchain rather than on servers or registered domains. The instructions are written into smart contracts that cannot be modified, deleted, or seized.
What makes this significant is the absence of anything to target. There is no server to report, no domain to suspend, no hosting provider to contact. The attack infrastructure exists as permanent entries on a distributed ledger replicated across thousands of nodes. Even after defenders remediate every infected endpoint, the command structure remains available for reuse.
How Blockchain C2 eliminates attackable infrastructure
The evolution matters because it breaks a fundamental assumption that has shaped botnet disruption for years: that attackers need infrastructure defenders can reach.
When Google took action against Glupteba in 2021, the operation seized command-and-control servers and registered domains, reducing infections by 78%. Glupteba did store backup C2 addresses on the Bitcoin blockchain, but that was a failsafe, not the primary channel. The real operations ran on conventional infrastructure, which gave defenders a target.
Aeternum inverts this entirely. Every command flows through the blockchain from the start. Infected machines query public Polygon RPC endpoints, retrieve instructions from smart contracts, execute them, and await updates. The operator manages everything through a web panel that writes directly to the blockchain. There is no conventional infrastructure in the loop at all.
Qrator’s analysis found that all online bots receive new instructions within two to three minutes, and operators can manage multiple smart contracts simultaneously, each linked to distinct payloads. The architecture mirrors the Living Off Trusted Sites pattern documented in phishing infrastructure: attackers exploiting legitimate services to sidestep detection. The difference is that blockchain infrastructure is not just trusted but permanent.
The economics of Blockchain C2
The economics underscore why this model is likely to spread. The Polygon blockchain charges fractions of a cent per transaction. Qrator estimates that one dollar’s worth of MATIC, Polygon’s native token, funds 100 to 150 command transactions. An operator needs only a cryptocurrency wallet and a local copy of the control panel.
Compare this to conventional command-and-control infrastructure, which requires renting servers, registering domains, maintaining operational security around hosting relationships, and rotating assets as defenders take them down. Each successful takedown imposes real costs on attackers. Blockchain-based infrastructure eliminates that pressure entirely. Even after endpoint remediation, the control logic persists on-chain and remains reusable indefinitely.
The malware itself sells at $200 for a lifetime license with panel access, or $4,000 for complete C++ source code. Built-in anti-analysis features extend the operational lifespan of infections. The seller has also listed the entire toolkit for $10,000. At these price points, the barrier to adoption is negligible for any motivated operator.
Implications for takedown strategy
Takedown-resistant infrastructure does not render all defensive measures obsolete, but it does shift where those measures must operate. When attackers can rebuild instantly after any disruption, detection and blocking at the network edge become primary controls. Organizations monitoring for suspicious RPC queries to public blockchain endpoints would detect this traffic pattern, which remains rare in most enterprise environments.
The window between detection and remediation also compresses in ways that matter operationally. As documented in our analysis of response speed, delays allow attackers to extract additional value. Traditional takedowns bought time by disrupting infrastructure for days or weeks. Persistent infrastructure eliminates that buffer.
This raises a strategic question: if disruption aims to impose costs on attackers and make campaigns unprofitable, what pressure points remain when infrastructure cannot be removed? Poisoning stolen data with decoys, disrupting the monetization phase rather than infrastructure, and targeting human operators may prove more effective than traditional removal approaches.
The majority of phishing sites, scam domains, and malicious infrastructure still runs on conventional servers where established takedown procedures remain effective. Aeternum represents an emerging subset of threats, but one that is likely to grow as the model proves out. Security teams should expect blockchain-based architectures to become more common, which elevates the importance of detection and disruption earlier in the attack chain.
Key Takeaways
Blockchain-based C2 stores botnet commands on public distributed ledgers like Polygon rather than traditional servers. Because blockchain entries are immutable and replicated across thousands of nodes, they cannot be seized, suspended, or deleted.
Traditional takedowns work by removing infrastructure: suspending domains, seizing servers, sinkholing traffic. Blockchain-based C2 has no central infrastructure to target. Commands exist as permanent smart contract entries accessible through public RPC endpoints.
Glupteba used Bitcoin blockchain as a backup channel while primarily operating through conventional servers, which allowed Google to disrupt it in 2021. Aeternum uses blockchain as its only communication channel, eliminating traditional infrastructure entirely.
Network-edge detection and blocking remain effective. Organizations can monitor for suspicious blockchain RPC queries, block known malicious contract addresses, and focus on preventing initial infections through endpoint detection.
Takedowns remain critical for the majority of threats using conventional infrastructure. However, security teams should expect a growing subset of sophisticated threats to adopt takedown-resistant architectures, elevating the importance of proactive detection and earlier intervention.
