Qrator Identifies Polygon-Powered Botnet Hard to Shut Down

Qrator Research Lab has reported the discovery of a new botnet architecture that significantly complicates traditional law enforcement and cybersecurity response efforts. The finding highlights a growing shift in how cybercriminals design command-and-control systems, moving away from centralized infrastructure toward decentralized blockchain networks that are far more difficult to disrupt.

Historically, dismantling botnets followed a familiar pattern. Investigators would identify the central server issuing commands to infected machines and then shut it down or redirect the malicious traffic to controlled environments. According to Qrator’s research, this approach is becoming less effective as attackers adopt technologies that remove the single point of failure that authorities typically target.

How Aeternum C2 Operates on Blockchain Infrastructure

The newly identified botnet, known as Aeternum C2, does not rely on a central command server. Instead, it publishes operational instructions directly to the Polygon blockchain. Because blockchain data is distributed across thousands of computers globally and replicated simultaneously, there is no single location that can be seized or shut down.

Researchers explained that Aeternum functions as a loader written in C++ and is compatible with most Windows-based systems. Once a device is infected, it no longer connects to a traditional website or server for instructions. Instead, it queries the blockchain for smart contracts, which are immutable digital instruction sets stored permanently on the network. This design ensures that the botnet’s command logic remains accessible as long as the blockchain itself is operational.

Eliminating the Traditional Off Switch

Qrator’s analysis showed that the botnet operator can manage the entire operation through a simple web-based dashboard. Commands issued through this interface are written to the blockchain and then retrieved by infected machines worldwide. Because all communication flows through the blockchain, there is no core infrastructure for authorities to dismantle.

The system is also highly efficient. Most compromised devices reportedly receive updated instructions within two to three minutes. The operator can issue a variety of payloads, including tools designed to steal digital assets or software that hijacks computing power for unauthorized cryptocurrency mining. This rapid and flexible command delivery further increases the botnet’s effectiveness.

More Resilient Than Previous Blockchain-Based Threats

Previous botnets, such as Glupteba, incorporated blockchain technology only as a fallback mechanism. Those networks could still be disrupted by targeting their primary servers. In contrast, Qrator researchers observed that Aeternum is built entirely around blockchain infrastructure, making it far more resistant to takedown efforts. With no servers to seize and no domain names to block, traditional countermeasures become largely ineffective.

The researchers also noted that operating costs for the attackers are extremely low. Sending hundreds of commands to thousands of infected machines reportedly costs only a minimal amount in transaction fees. This low barrier to operation makes the model accessible and scalable for cybercriminal groups.

Evasion Techniques and Long-Term Risks

Further investigation revealed that the malware includes anti-virtual machine techniques. These mechanisms allow the software to detect when it is being analyzed in a controlled research environment. If such conditions are detected, the malware simply refuses to execute, limiting the ability of security teams to study its behavior in detail.

The long-term implications of this model are particularly concerning. A blockchain-based command structure allows botnets to persist for extended periods and scale more easily, making them well-suited for large-scale distributed denial-of-service attacks. Even if individual devices are cleaned, the same blockchain-hosted instructions can be reused to reestablish control, reducing the effectiveness of traditional remediation efforts.

Shifting the Focus of Cyber Defense

Qrator’s findings suggest that defenders may need to rethink their approach to botnet mitigation. Rather than focusing solely on taking down command servers, organizations may need to prioritize filtering malicious traffic before it reaches critical infrastructure. As blockchain-based command-and-control systems gain traction among attackers, proactive traffic analysis and network-level defenses are likely to become essential components of modern cybersecurity strategies.

The post Qrator Identifies Polygon-Powered Botnet Hard to Shut Down appeared first on CoinTrust.