The new face of C2: malicious commands that travel in the blockchain of Polygon

The war between those who create malware and those who try to stop it doesn't stop mutating, and the latest trend is ingenious and, at the same time, deeply worrying: some operators are taking advantage of the public and decentralized nature of the block chains to hide the command center of their botnets. A recent and enlightening example is the charger known as Aeternum C2, which places the orders in the Polygon lockchain and forces the committed machines to read them via public RPC access points.

Security researchers who have analyzed Aeternum explain that, instead of relying on traditional servers or domains that authorities or suppliers can withdraw, malware writes the instructions directly as transactions to smart contracts on the Polygon network. As information recorded in a public book and distributed, these orders become virtually immutable and accessible to any device that consults the network, which greatly complicates conventional interruptions. A technical report shared by Qrator Labs offers a first X-ray of this technique: Qurator Labs - Exploring Aeternum C2.

The Aeternum architecture combines several pieces: a native C + + charger available for x86 and x64 architectures; a web interface where the operator deploys contracts, selects command types and publishes the payload URL; and, finally, the mechanism by which the malicious code invokes a contract function through the Polygon RPC, receives an encrypted response and runs it on the victim machine. A detailed analysis by the Ctrl Alt Intel and its second delivery ( Part 2) describes how the panel - implemented as a Next.js application - automates the deployment and management of these contracts, allowing multiple contracts to operate with different functions according to the objective: from data robbers to remote-access miners or Trojans.

The operational cost of this approach is surprisingly low. According to the analysis, with a small fraction of MATIC - the Polygon coin - an attacker can publish tens or hundreds of commands, which eliminates the need to maintain servers, register domains or rent traditional infrastructure. This economy makes the command infrastructure economic and, at the same time, very resilient to the usual blocking measures.

This is not the first time that criminals have resorted to a chain of blocks to support their infrastructure. Previous cases have shown how some malware families use public blockchains as a reservation or backup to store control information, and experts point out that integrating smart contracts with malware is a logical but dangerous evolution. In the case of Aeternum, measures were also identified to make forensic analysis difficult: checks of virtualized environments, tools to verify that binaries are not detected by antivirus and utilities to pass the code through evasion scanners such as Kleenscan.

The commercial offer of the kit also attracted the attention of the researchers. In December 2025, reports and publications were published in clandestine forums where a seller under the alias LenAI offered buildings at relatively low prices and, for larger amounts, the entire source code and the administration panel. Outpos24 - through its team KrakenLabs - reported signs of this activity on social networks and forums: KrakenLabs - initial announcement and later the complete sale attempt of the project for a higher price: KrakenLabs - offer to sell.

This phenomenon is not isolated: in parallel to Aeternum other services and models of monetization of crime have emerged. An illustrative example is DSLRoot, described by the firm Infrawatch as an underground offer that installs dedicated hardware in American homes in order to convert these equipment into residential proxies. The research suggests that the service integrates software capable of remotely managing common brand modems and Android devices through ADB, offering IP rotation and anonymous connectivity in exchange for subscriptions. Infrawatch documents techniques, scope estimates and attribution traces in its report: Infrawatch - DSLRoot research.

The implications are multiple. For defenders, facing a C2 living in a public lockchain requires thinking of new detection and mitigation vectors: monitoring suspicious transactions and contracts, analysis of addresses of billboards that publish payloads, identification and blocking of URLs used as payload sources, and collaboration with blockchain infrastructure providers to suspend ancillary services where possible. Polygon, as a public network, maintains documentation that helps understand how your RPC and nodes work, useful information for professionals who want to track or mitigate abuses: Polygon - network documentation.

At the practical level and for users and security officials, the classic recommendations remain valid and become more important: maintaining systems and applications, restricting the execution of unverified binaries, applying network segmentation, using endpoint detection solutions that identify abnormal behaviors (unusual downloads, running of programs from time routes, processes that carry out RPC consultations to external services) and training people not to execute instructions that reach through social engineering vectors. In addition, the response teams should combine traditional forensic analysis with blockchain intelligence, working with the security community and, where appropriate, with authorities and platforms to try to cut the funding chain or the operational capacity of the attackers.

The emergence of commercial tools and hybrid infrastructure - such as those offered by Aeternum or DSLRoot - underlines that the professionalization of cybercrime continues to advance. The attackers are looking for cost-effective, scalable and disruptive models. Faced with that, the defense has to evolve by integrating capacity for block chain analysis, threat intelligence and traditional security controls. The technical reports of Qrator Labs and Ctrl Alt Intel, together with Infrawatch's research on residential proxies, are recommended readings for those who need to understand the technical detail and operational context of these new threats: Qrator Labs, Ctrl Alt Intel - Part 1, Ctrl Alt Intel - Part 2 and Infrawatch - DSLRoot.

In short, we are at a stage in which decentralization that brings value to many legitimate applications can also be exploited by malicious actors. Understanding these abuses and adapting both surveillance and defensive measures will be key to not letting such tactics become a standard.