Aeternum: Botnet Loader Anchors Command Channel on Polygon
Context and Chronology
A new loader, labeled Aeternum, shifts botnet control into public smart contracts on Polygon, according to a technical write-up by Qrator Labs. The design removes conventional central servers and leverages public RPC endpoints so infected hosts pull encrypted instructions from on‑chain data. Operators can swap commands by updating contracts; that change propagates to bots within moments, compressing the time between operator action and execution.
Technically, bots query RPC nodes to read contract state and then validate and decrypt payloads before running them, which severs observable infrastructure trails defenders typically hunt. The kit bundles anti-virtual-machine checks and an AV verification feature that probes builds against multiple detection engines via a third-party API. A web panel included with the product lets operators point bots to replacement contracts, effectively turning smart contracts into durable, distributed C2 points.
The underground sales pitch is explicit: a low-cost license and a separately priced full source option turn this capability into a marketable product. The loader’s commercial parameters and the bundled tooling lower the bar for lesser-skilled threat actors to operate resilient botnets. The attacker economics matter; a nominal amount of native token buys hundreds of brief command transactions, removing the need for rented hosting, domain churn, or persistent server assets.
This technique mirrors earlier experiments where malware used public ledgers as fallback channels, yet the current package packages that capability for buyers. That packaging converts a complex tactics-and-tools stack into a repeatable commodity on underground markets. Defenders face a steeper cost curve: takedown playbooks that once relied on seizing servers and domains will yield incomplete results against on‑chain C2 anchors.
Read the original technical note from Qrator Labs for indicators and a behavioral breakdown, and the reporting summary at SecurityWeek for context. Security teams should prioritize RPC monitoring, contract-state analytics, and telemetry that links on‑host behavior to on‑chain reads to regain visibility. Rapid adaptation and coordinated legal or infrastructure responses will be required to prevent this pattern from becoming the de facto persistence mechanism for distributed malware.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
SystemBC resurfaces as resilient proxy botnet, infecting over 10,000 hosts
A persistent variant of the SystemBC loader has rebuilt its footprint after a law-enforcement disruption and now routes traffic through more than 10,000 compromised IPs worldwide. Security researchers warn the infrastructure acts as a traffic-proxying backbone and often precedes ransomware and other secondary intrusions.
Polyfill.io Compromise Linked to North Korean Operators, Impacting 100k+ Sites
Forensic artifacts (LummaC2 sample and harvested CDN/DNS credentials) tie the 2024 Polyfill.io library compromise to operators aligned with North Korea; investigators warn the incident exemplifies a broader trend of supply‑chain abuse that pairs credential theft, control‑plane takeover, and resilient off‑platform monetization to convert web traffic into crypto flows.
Aster Chain Mainnet Launches, Targets On‑chain Trading Privacy
Aster announced production availability of its Layer‑1 focused on encrypted execution for trading, claiming CEX‑like latency and >100k TPS. Independent reporting frames the rollout more conservatively — as a public testnet and phased mainnet plan — so performance and decentralization claims remain subject to third‑party validation.
Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access
A coordinated criminal campaign scans for unauthenticated LLM and model-control endpoints, then validates and monetizes access—running costly inference workloads, selling API access, and probing internal networks. Some exposed targets are agentic connectors and admin interfaces that can leak tokens, credentials, or execute commands, dramatically raising the stakes beyond billable inference.
TeamPCP's CanisterWorm: npm Supply-Chain Compromise with Iran-Targeted Wiper
A self‑propagating worm, tracked as CanisterWorm, spread through npm packages and CI/CD pipelines to harvest credentials and push poisoned artifacts; researchers removed malicious packages after tracing a distribution chain tied to earlier tooling compromises. The implant contains an environment‑aware destructive module (Kamikaze) that activates destructive routines under Iran‑specific cues while otherwise focusing on persistence and exfiltration, exposing systemic gaps in artifact provenance, package‑manager logic, and control‑plane credential hygiene.
APT37 expands toolkit to pierce air gaps using removable media and cloud C2
Zscaler observed a December 2025 APT37 campaign that combined five newly identified modules — including a memory‑resident loader, a backdoored interpreter runtime, a USB relay spreader and an Android surveillance app — to pierce air‑gapped enclaves while using a mainstream cloud storage service for command-and-control. Defenders should couple stricter removable‑media controls with identity‑first telemetry and cross‑service signal fusion; platform takedowns help but do not eliminate the underlying tradecraft.
Tycoon 2FA Disrupted After Microsoft, Coinbase and Europol Action
A coordinated coalition led by Microsoft , Coinbase and Europol dismantled key infrastructure tied to Tycoon 2FA , blocking 330 domains and tracing blockchain payments to identify an alleged administrator. The disruption directly targets a major phishing-as-a-service pipeline that enabled session-token theft and MFA bypass, shifting attacker economics and prompting near-term tactical pivots.
Coinbase Expands x402 to Polygon While Agent Payments Lag
Coinbase extended its x402 facilitator to Polygon as independent analysis puts monthly AI-agent payments near $1.6M , far below some published figures. Complementary industry moves — Stripe's guarded preview for USDC via x402 on Base , CoinGecko's 0.01 USDC per-request experiment, and Alchemy's payments gateway — show multi-rail momentum but also clarify why high transaction counts can translate to modest dollar flows.