Aeternum: Botnet Loader Anchors Command Channel on Polygon
Context and Chronology
A new loader, labeled Aeternum, shifts botnet control into public smart contracts on Polygon, according to a technical write-up by Qrator Labs. The design removes conventional central servers and leverages public RPC endpoints so infected hosts pull encrypted instructions from on‑chain data. Operators can swap commands by updating contracts; that change propagates to bots within moments, compressing the time between operator action and execution.
Technically, bots query RPC nodes to read contract state and then validate and decrypt payloads before running them, which severs observable infrastructure trails defenders typically hunt. The kit bundles anti-virtual-machine checks and an AV verification feature that probes builds against multiple detection engines via a third-party API. A web panel included with the product lets operators point bots to replacement contracts, effectively turning smart contracts into durable, distributed C2 points.
The underground sales pitch is explicit: a low-cost license and a separately priced full source option turn this capability into a marketable product. The loader’s commercial parameters and the bundled tooling lower the bar for lesser-skilled threat actors to operate resilient botnets. The attacker economics matter; a nominal amount of native token buys hundreds of brief command transactions, removing the need for rented hosting, domain churn, or persistent server assets.
This technique mirrors earlier experiments where malware used public ledgers as fallback channels, yet the current package packages that capability for buyers. That packaging converts a complex tactics-and-tools stack into a repeatable commodity on underground markets. Defenders face a steeper cost curve: takedown playbooks that once relied on seizing servers and domains will yield incomplete results against on‑chain C2 anchors.
Read the original technical note from Qrator Labs for indicators and a behavioral breakdown, and the reporting summary at SecurityWeek for context. Security teams should prioritize RPC monitoring, contract-state analytics, and telemetry that links on‑host behavior to on‑chain reads to regain visibility. Rapid adaptation and coordinated legal or infrastructure responses will be required to prevent this pattern from becoming the de facto persistence mechanism for distributed malware.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you

SystemBC resurfaces as resilient proxy botnet, infecting over 10,000 hosts
A persistent variant of the SystemBC loader has rebuilt its footprint after a law-enforcement disruption and now routes traffic through more than 10,000 compromised IPs worldwide. Security researchers warn the infrastructure acts as a traffic-proxying backbone and often precedes ransomware and other secondary intrusions.
Operation Bizarre Bazaar: Criminal Network Hijacks Exposed LLM Endpoints for Profit and Access
A coordinated criminal campaign scans for unauthenticated LLM and model-control endpoints, then validates and monetizes access—running costly inference workloads, selling API access, and probing internal networks. Some exposed targets are agentic connectors and admin interfaces that can leak tokens, credentials, or execute commands, dramatically raising the stakes beyond billable inference.
ZeroDayRAT: Commercial spyware kit offers comprehensive remote control of Android and iOS devices
A commercially marketed spyware package circulating on Telegram equips buyers to fully surveil and control infected Android and iOS phones, combining continuous credential and clipboard theft with persistent device monitoring. Researchers warn operators also adopt resilient distribution tactics—including droppers, mirrored hosting and abuse of public repositories—that speed payload rotation and complicate takedown.

Malware Campaign Used Hugging Face to Host Android RAT Payloads
Security researchers discovered an Android remote-access Trojan distributed via a dropper that redirected victims to Hugging Face-hosted payloads. The campaign used short-lived repositories and frequent payload updates to evade takedowns while abusing a popular model-sharing platform as a file host.
U.S.: Moltbook and OpenClaw reveal how viral AI prompts could become a major security hazard
An emergent ecosystem of semi‑autonomous assistants and a public social layer for agent interaction has created a realistic route for malicious instruction sets to spread; researchers have found hundreds of internet‑reachable deployments, dozens of prompt‑injection incidents, and a large backend leak of API keys and private data. Centralized providers can still interrupt campaigns today, but improving local model parity and nascent persistence projects mean that the defensive window is narrowing fast.

On-chain laundering surges to $82B as Chinese-language networks entrench a resilient underground market
Blockchain analytics firm Chainalysis finds on-chain laundering ballooned to about $82 billion in 2025, driven by rising market liquidity and more professionalized laundering services. Chinese-language crews now handle a sizable share of that volume through messaging-platform hubs, mule networks and OTC-style trading that preserve operational continuity under enforcement pressure.
Global: Over 1,400 Internet‑Accessible MongoDB Instances Compromised in Low‑Value Extortion Campaign
Threat researchers at Flare found roughly 1,416 publicly reachable MongoDB instances altered by an extortion campaign that replaced data with payment demands. Although attackers sought about $500 per victim in cryptocurrency, blockchain checks show only around $400 in receipts, indicating limited financial success despite wide exposure.

Anthropic's Claude Code: Flaws Threaten Developer Devices and Team Keys
Check Point disclosed critical flaws in Anthropic's Claude Code that allowed silent execution of commands and API key theft from cloned repositories. The issue sits within a broader, systemic risk: reasoning‑based developer tooling, agent connectors, and repo-applied configs expand the attack surface—so organizations must urgently harden CI/CD, key management, and repository execution defaults.