Aeternum Loader Employs Polygon Blockchain for Resilient C2

Overview of Aeternum Operations

Aeternum represents a significant shift in malware infrastructure management by adopting decentralized ledger technology (DLT) for its command-and-control (C2) operations. Identified by researchers as a multi-functional loader and information stealer, Aeternum leverages the Polygon blockchain—a Layer-2 scaling solution for Ethereum—to ensure its management infrastructure remains persistent and resistant to traditional sinkholing or domain seizure efforts.

Technical Analysis: Blockchain-Based C2

The core innovation within Aeternum is its reliance on smart contracts to distribute C2 configuration data. According to SecurityWeek, the malware authors utilize the Polygon network primarily due to its low transaction costs and high throughput compared to the Ethereum mainnet. This allows the threat actors to maintain a highly available ‘bulletproof’ directory of active command servers.

Execution Flow and C2 Retrieval

Upon infection, the Aeternum loader does not immediately reach out to a hardcoded IP address or a domain generated via a standard algorithm (DGA). Instead, it interacts with a specific smart contract address deployed on the Polygon blockchain. By querying the contract’s state via public JSON-RPC endpoints, the malware retrieves the current IP addresses or domains of its active C2 servers.

This methodology provides several advantages to the threat actors:

1. Immutability: Once a smart contract is deployed, its code and the data it stores cannot be altered or removed by centralized authorities, making the ‘address book’ for the botnet permanent.
2. Censorship Resistance: Because the data is stored on a decentralized network, there is no central server for law enforcement to seize.
3. Low Overhead: By using Polygon, the actors can update the C2 addresses within the smart contract for a fraction of a cent in MATIC tokens, allowing for rapid infrastructure rotation and agility in the face of detection.

Payload Capabilities

Aeternum is primarily marketed as a loader, designed to establish a foothold and then deploy additional modules or third-party malware. However, it also includes native capabilities typical of modern infostealers:

• Credential Harvesting: Extraction of saved passwords, cookies, and autofill data from major web browsers.
• Cryptocurrency Draining: Scanning for local wallet files and browser extensions (e.g., MetaMask) to exfiltrate private keys or seed phrases.
• Remote Access: The ability to execute arbitrary commands or download secondary payloads, such as ransomware or persistent backdoors.

Strategic Implications for Defenders

The transition toward blockchain-based C2 infrastructure complicates the traditional incident response lifecycle. In standard botnet takedowns, defenders work with registrars and hosting providers to null-route malicious traffic or seize domains. With Aeternum, the ‘source of truth’ for the botnet’s location is distributed across thousands of nodes globally.

Furthermore, the use of legitimate blockchain RPC services (like Infura, Alchemy, or public Polygon nodes) means that blocking the communication channel often involves blocking traffic to legitimate Web3 infrastructure, which may cause collateral damage to business applications relying on those same services.

Mitigation and Recommendations

To defend against Aeternum and similar decentralized threats, organizations should adopt a multi-layered security posture focusing on behavioral patterns and egress filtering.

Network-Level Defenses

• Monitor RPC Traffic: Log and inspect traffic directed toward known blockchain RPC endpoints (e.g., polygon-rpc.com). While not inherently malicious, unusual volumes of traffic from non-developer workstations should be treated as suspicious and investigated for potential DLT-based malware communication.
• Egress Filtering: Implement strict outbound filtering. Limit the ability of internal endpoints to communicate with unknown external IPs over non-standard ports, as the final C2 servers retrieved from the blockchain will still require direct TCP/UDP connections for data exfiltration.

Endpoint Security

• Behavioral Analysis: Deploy EDR solutions capable of detecting the characteristic behaviors of loaders, such as process hollowing, unauthorized API calls to cryptographic libraries, and the staging of data in hidden system directories.
• Wallet Protection: For organizations handling digital assets, ensure that hardware wallets are used and that browser-based ‘hot’ wallets are strictly controlled or prohibited on general-purpose workstations.

Threat Intelligence Integration

Security teams should maintain updated lists of known malicious smart contract addresses and monitor the Polygon scan (Polygonscan) for transactions associated with Aeternum’s deployment addresses. This allows for the preemptive identification of new C2 infrastructure before it is utilized in a broader campaign.