- A new botnet loader called Aeternum C2 uses the public Polygon blockchain for its command-and-control infrastructure, making it highly resistant to takedown.
- The malware, written in C++, writes encrypted commands to smart contracts, which infected devices then read via public RPC endpoints for a negligible operational cost.
- The threat actor behind the malware, known as LenAI, has attempted to sell the entire toolkit for $10,000 and is also linked to a separate crimeware solution called ErrTraffic.
- Separately, a Belarusian operator runs a residential proxy network named DSLRoot using custom hardware deployed in U.S. homes to anonymously route malicious traffic.
Cybersecurity researchers have disclosed a novel and resilient botnet threat in early 2025, where the Aeternum C2 loader leverages the immutable Polygon blockchain for its command infrastructure. This approach, detailed by Qrator Labs, creates a permanent and takedown-resistant network by storing instructions in public smart contracts.
Consequently, infected devices poll the blockchain via remote procedure call endpoints to retrieve encrypted commands written by the operator. “Once a command is confirmed, it cannot be altered or removed by anyone other than the wallet holder,” the researchers stated, highlighting the system’s durability.
The malware was first advertised in December 2025 by a threat actor named LenAI, who offered the loader for $200 and the full C++ codebase for $4,000. According to reports from KrakenLabs, the actor later attempted to sell the entire project for $10,000, citing a lack of time for support.
Meanwhile, the loader incorporates robust anti-analysis features, including checks for virtualized environments. Operational costs are minimal, with just $1 worth of MATIC token funding 100 to 150 command transactions on the Polygon network.
In a separate but parallel development, a service named DSLRoot is deploying physical hardware in American residences to create a proxy network. Infrawatch attributed this operation to a Belarusian national, Andrei Holas, who promotes the service online.
The custom software, called DSLPylon, can remotely control modems and Android devices to rotate IP addresses. This network, estimated to include 300 active devices across more than 20 U.S. states, allows clients to route traffic anonymously through residential IPs for a monthly fee of $190.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
