Aeternum C2: Polygon Blockchain as Bulletproof Infrastructure?
Has anyone seen the Qrator Labs report on the new Aeternum C2 loader? It’s a fascinating, albeit terrifying, evolution in botnet resilience. Instead of relying on traditional VPS or domain infrastructure that we can sinkhole or seize, this loader stores encrypted commands directly on the public Polygon blockchain.
The Mechanics
The malware queries the Polygon network for specific transactions. The C2 instructions are embedded in the transaction data (likely the input field), encrypted so only the botnet operator can decode them. This turns the entire decentralized network into a failsafe C2. We can't issue a takedown request to a blockchain.
Detection Challenges
Since the traffic is just standard RPC calls to public nodes (like Infura or Alchemy) or port 8545, standard IP blocking is messy. You risk collateral damage if your organization actually uses Web3 tools. However, typical user workstations shouldn't be hammering these endpoints.
Here is a basic KQL query to start hunting for anomalous RPC traffic from non-browser processes:
DeviceNetworkEvents
| where ActionType == "ConnectionSuccess"
| where RemoteUrl has_any ("polygon-rpc.com", "infura.io", "alchemy.com") or RemotePort == 8545
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "node.exe")
| summarize Count = count() by DeviceName, InitiatingProcessFileName, RemoteUrl
| where Count > 10 // Threshold for suspicious activity
How is everyone handling Web3 traffic detection in their environments? Are you flat-out blocking public RPC nodes at the firewall, or are you relying on EDR telemetry to catch the process behavior?
This is the nightmare scenario for infrastructure takedowns. We've been debating blocking public RPC nodes at the perimeter for a while. Most legitimate business use of Web3 in our environment involves internal nodes or very specific approved dapps, so we've started blocking access to known public providers like Infura and Alchemy via PAC file and firewall rules. It's a bit of a blunt instrument, but the risk of data exfiltration via blockchain transaction metadata is rising.
Interesting approach with the KQL query. I'd add that you should also look for high transaction volumes on the wallet side. If the infected machine is spamming the chain to read data or sending 'heartbeats' via low-value transfers, it might rack up gas fees (even if low on Polygon). I'd also correlate the network traffic with process injection artifacts, as these loaders often use injection to stay hidden in memory.
The biggest hurdle for the attacker here is cost, right? Gas fees aren't zero, even on L2s like Polygon. If the botnet grows to 10k nodes checking in every minute, that's a huge operational expense. I wonder if this limits Aeternum to high-value targets rather than indiscriminate spamming. Regardless, we are adding checks for -rpc strings in TLS handshakes to our IDS rules.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access