Aeternum C2 Polygon blockchain command-and-control loader
Malware Activity
Summary
Hide ▲
Show ▼
The Aeternum C2 botnet loader is moving command-and-control onto the Polygon blockchain, removing the central servers that defenders normally target. That change makes disruption and takedown harder because instructions are stored in smart contracts and become publicly recorded. The loader can deliver commands through more than 50 RPC endpoints, and new instructions reportedly reach bots within two to three minutes.
Related Happenings
Aeternum C2 botnet loader using Polygon blockchain C2
Malware Activity
First: 26.02.2026 20:00
Last: 26.02.2026 20:00
Sources 1
About this happening:
Researchers disclosed **Aeternum C2**, a botnet loader that moves **command-and-control** onto the **Polygon blockchain**, making infected hosts harder to disrupt. The malware wri...
Aeternum C2 botnet loader using Polygon blockchain C2
Malware ActivityAbout this happening: Researchers disclosed **Aeternum C2**, a botnet loader that moves **command-and-control** onto the **Polygon blockchain**, making infected hosts harder to disrupt. The malware wri...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
First: 19.02.2026 10:13
Last: 19.02.2026 10:13
Sources 1
About this happening:
The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
CRESCENTHARVEST Windows RAT and info-stealer activity
Malware ActivityAbout this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...
LummaStealer infection surge via CastleLoader
Malware Activity
First: 11.02.2026 19:02
Last: 11.02.2026 19:02
Sources 1
About this happening:
The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
LummaStealer infection surge via CastleLoader
Malware ActivityAbout this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...
Latest development: 06.03.2026 08:44
Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().
Timeline
-
26.02.2026 18:00 2 articles · 3mo ago
Aeternum C2 shifts command-and-control onto Polygon
Initial DisclosureQrator Research Lab identifies Aeternum C2 as a native C++ loader in x32 and x64 builds that replaces conventional servers and domains with smart contracts on the Polygon blockchain. Operators use a web dashboard to choose a smart contract, command type, and payload URL, then infected machines pull instructions from more than 50 RPC endpoints; the loader can run multiple contracts at once and support clippers, information-stealing DLLs, PowerShell or batch scripts, remote access tools, and cryptocurrency miners. On-chain commands are immutable, so the control channel does not depend on infrastructure that can be seized or suspended.
Show sources
- Aeternum Botnet Shifts Command Control to Polygon Blockchain — www.infosecurity-magazine.com — 26.02.2026 18:00
- Aeternum Botnet Shifts Command Control to Polygon Blockchain — www.infosecurity-magazine.com — 26.02.2026 18:00