Who is behind the Aeternum C2 botnet?

The botnet was developed by a threat actor known as LenAI, who has been active in underground forums selling the malware and its source code.

How does Aeternum C2 impact cybersecurity defenses?

By leveraging blockchain technology for C2 operations, Aeternum C2 challenges traditional cybersecurity measures, necessitating the development of new strategies to detect and mitigate such decentralized threats.

Aeternum C2 Botnet: A New Era of Blockchain-Based Cyber Threats

Explore how the Aeternum C2 botnet utilizes the Polygon blockchain for command-and-control, presenting unprecedented challenges to cybersecurity defenses.

Published: February 26, 2026

Share this on:

Executive Summary

In February 2026, cybersecurity researchers uncovered the Aeternum C2 botnet, developed by the threat actor known as LenAI. This botnet distinguishes itself by utilizing the Polygon blockchain to store encrypted command-and-control (C2) instructions, thereby circumventing traditional takedown methods that target centralized servers. Infected machines retrieve commands from smart contracts on the blockchain, making the botnet's infrastructure highly resilient and challenging to disrupt. (thehackernews.com)

The emergence of Aeternum C2 underscores a significant shift in cybercriminal tactics, leveraging decentralized technologies to enhance the persistence and stealth of malicious operations. This development highlights the need for adaptive cybersecurity strategies to address the evolving threat landscape posed by blockchain-based malware. (infosecurity-magazine.com)

Why This Matters Now

The Aeternum C2 botnet's use of blockchain for command-and-control operations represents a paradigm shift in cyber threats, rendering traditional takedown methods ineffective. This innovation necessitates the development of new defensive measures to detect and mitigate such decentralized attacks.

Attack Path Analysis

The Aeternum C2 botnet initiates attacks by exploiting vulnerabilities in public-facing applications to gain initial access. Once inside, it escalates privileges by manipulating IAM roles to gain broader access. The malware then moves laterally across the network by exploiting misconfigurations in east-west traffic controls. For command and control, Aeternum utilizes the Polygon blockchain to store encrypted commands, making takedown efforts challenging. It exfiltrates data by transferring it to external servers through unmonitored outbound connections. Finally, the botnet impacts the system by deploying additional payloads such as clippers, stealers, RATs, or miners, leading to data theft and resource exploitation.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

Mediuminferred

Lateral Movement

Mediuminferred

Command & Control

High

Exfiltration

Mediuminferred

Impact

High

Initial Compromise

Description

The Aeternum C2 botnet gains initial access by exploiting vulnerabilities in public-facing applications.

Confidence:

High

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Resource Development

T1584.005

Compromise Infrastructure: Botnet

Command and Control

T1071

Application Layer Protocol

Command and Control

T1573

Encrypted Channel

Command and Control

T1001.002

Data Obfuscation: Steganography

Command and Control

T1105

Ingress Tool Transfer

Command and Control

T1008

Fallback Channels

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Change Control Processes

Control ID: 6.4.1

The use of blockchain for command and control indicates a lack of effective change control processes, allowing unauthorized modifications to system components.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The incident suggests deficiencies in the cybersecurity policy, particularly in addressing emerging threats like blockchain-based command and control mechanisms.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack highlights gaps in the ICT risk management framework, failing to account for innovative attack vectors such as blockchain-based botnets.

CISA ZTMM 2.0 – Network Segmentation

Control ID: 3.1

The incident underscores the need for robust network segmentation to prevent unauthorized communication channels, including those leveraging blockchain.

NIS2 Directive – Incident Handling

Control ID: Article 21

The breach indicates shortcomings in incident handling procedures, particularly in detecting and responding to novel command and control infrastructures.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Financial Services

Blockchain-based C2 infrastructure threatens financial transaction integrity, requiring enhanced egress filtering and zero trust segmentation to prevent cryptocurrency theft and fraud.

Computer Software/Engineering

Aeternum's anti-analysis features and Next.js panel implementation expose software development environments to advanced persistent threats requiring comprehensive endpoint protection measures.

Telecommunications

Residential proxy networks like DSLRoot exploit telecom infrastructure for malicious traffic routing, necessitating enhanced east-west traffic monitoring and anomaly detection capabilities.

Capital Markets/Hedge Fund/Private Equity

Polygon blockchain exploitation targeting platforms like Polymarket creates systemic risks for trading infrastructure requiring encrypted traffic analysis and threat intelligence integration.

Sources

Aeternum C2 Botnet Stores Encrypted Commands on Polygon Blockchain to Evade Takedownhttps://thehackernews.com/2026/02/aeternum-c2-botnet-stores-encrypted.html
Verified

Aeternum Loader: When your C2 lives foreverhttps://ctrlaltintel.com/threat%20research/Aeternum-Part-1/

Verified

Aeternum Loader: Inside the binaryhttps://ctrlaltintel.com/threat%20research/Aeternum-Part-2/

Verified

Frequently Asked Questions

Aeternum C2 stores its command-and-control instructions on the decentralized Polygon blockchain, eliminating centralized servers that can be targeted for takedown, thus enhancing its resilience.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could likely limit the Aeternum C2 botnet's ability to exploit vulnerabilities, escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: By implementing Aviatrix CNSF, the botnet's ability to exploit vulnerabilities in public-facing applications could likely be constrained, reducing the risk of initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: With Zero Trust Segmentation, the malware's ability to escalate privileges by manipulating IAM roles could likely be limited, reducing the scope of unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: Implementing East-West Traffic Security could likely limit the botnet's lateral movement by enforcing strict traffic controls, reducing the attacker's reach within the network.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: With Multicloud Visibility & Control, the botnet's command and control communications could likely be monitored and constrained, reducing the effectiveness of encrypted command storage.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: By enforcing Egress Security & Policy Enforcement, the botnet's data exfiltration attempts could likely be constrained, reducing the risk of unauthorized data transfer.

Impact (Mitigations)

With the implementation of Aviatrix Zero Trust CNSF, the deployment of additional malicious payloads could likely be constrained, reducing the potential for data theft and resource exploitation.

Impact at a Glance

Affected Business Functions

Operational Disruption

Estimated downtime: N/A

Financial Impact

Estimated loss: N/A

Data Exposure

n/a

Recommended Actions

• Implement robust east-west traffic security controls to prevent lateral movement within the network.
• Deploy zero trust segmentation to enforce least privilege access and limit the spread of malware.
• Enhance multicloud visibility and control to detect and respond to anomalous activities across cloud environments.
• Enforce egress security and policy enforcement to monitor and control outbound traffic, preventing unauthorized data exfiltration.
• Utilize threat detection and anomaly response systems to identify and mitigate malicious activities promptly.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Aeternum C2 Botnet: A New Era of Blockchain-Based Cyber Threats

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

MITRE ATT&CK® Techniques

Compromise Infrastructure: Botnet

Application Layer Protocol

Encrypted Channel

Data Obfuscation: Steganography

Ingress Tool Transfer

Fallback Channels

Potential Compliance Exposure

PCI DSS 4.0 – Change Control Processes

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Network Segmentation

NIS2 Directive – Incident Handling

Sector Implications

Financial Services

Computer Software/Engineering

Telecommunications

Capital Markets/Hedge Fund/Private Equity

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads