CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Aeternum Botnet Adopts Polygon Blockchain for Command and Control

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

The Aeternum botnet loader has shifted its command-and-control (C2) operations to the Polygon blockchain, eliminating traditional central servers. This move makes it harder for authorities and security firms to disrupt the botnet by seizing infrastructure. The botnet uses smart contracts on the blockchain to issue commands, which are publicly recorded and immutable. Aeternum is a native C++ loader available in x32 and x64 builds. Operators manage infections via a web dashboard that allows them to select a smart contract, choose a command type, and specify a payload URL. Commands are written to the blockchain as transactions and are accessible to bots querying over 50 remote procedure call endpoints. The botnet's use of blockchain-based C2 complicates traditional takedown strategies, as there is no central infrastructure to seize. Commands stored on-chain are permanent and globally accessible, making proactive DDoS mitigation more critical. The threat actor LenAI has attempted to sell the entire Aeternum toolkit for $10,000, claiming a lack of time for support and involvement in another project. LenAI is also behind a second crimeware solution called ErrTraffic.

Timeline

  2. 26.02.2026 18:00 2 articles · 1d ago

    Aeternum Botnet Shifts to Polygon Blockchain for Command and Control

    The Aeternum botnet has shifted its command-and-control operations to the Polygon blockchain, using smart contracts to issue commands. This move eliminates traditional central servers, making it harder for authorities and security firms to disrupt the botnet. The botnet's use of blockchain-based C2 complicates traditional takedown strategies, as commands stored on-chain are immutable and globally accessible. The C2 panel is implemented as a Next.js web application, and the malware includes anti-analysis features to detect virtualized environments and avoid antivirus detection.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SSHStalker Linux Botnet Uses IRC for C2 Communications

A new Linux botnet named SSHStalker has been documented, utilizing the outdated IRC protocol for command-and-control (C2) operations. The botnet employs classic IRC mechanics, including multiple C-based bots and multi-server/channel redundancy, prioritizing resilience and scale over stealth. It achieves initial access through automated SSH scanning and brute-forcing, using a Go binary disguised as nmap. Once infected, hosts are used to scan for additional SSH targets, and the botnet includes exploits for 16 CVEs targeting older Linux kernel versions. The botnet also performs AWS key harvesting, website scanning, and includes cryptomining kits and DDoS capabilities. Notably, SSHStalker maintains persistent access without immediate follow-on post-exploitation behavior, suggesting it may be used for staging, testing, or strategic access retention. The threat actor is suspected to be of Romanian origin, with operational overlaps with the hacking group Outlaw (aka Dota).

Open in new tab

GoBruteforcer Botnet Expands Attacks on Linux Servers

The GoBruteforcer botnet has expanded its attacks to target databases of cryptocurrency and blockchain projects, exploiting weak credentials and misconfigured software. Over 50,000 publicly accessible servers are vulnerable, with the botnet turning compromised machines into scanning and attack nodes. A more capable variant of the malware, written in Go, was observed in mid-2025, featuring heavier obfuscation and stronger persistence. The botnet exploits predictable usernames and weak defaults, targeting exposed services like XAMPP and WordPress admin panels. Financial motives are evident, with tools found to scan TRON balances and sweep tokens on TRON and Binance Smart Chain. On-chain analysis confirms some successful attacks, though most affected addresses held small balances. The botnet uses common operational usernames such as 'myuser' and 'appuser', and common passwords like '123321' and 'testing'. GoBruteforcer campaigns tweak the credential sets depending on the target, including cryptocurrency-themed usernames and passwords.

Open in new tab

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

ShadowV2 Botnet Targets Misconfigured AWS Docker Containers and IoT Devices for DDoS Attacks

The ShadowV2 botnet targets misconfigured Docker containers on Amazon Web Services (AWS) to deploy a Go-based malware, turning infected systems into nodes for a distributed denial-of-service (DDoS) botnet. This botnet is available for rent to conduct DDoS attacks, employing advanced techniques such as HTTP/2 Rapid Reset and bypassing Cloudflare's Under Attack mode. The botnet was detected on June 24, 2025, and is believed to be part of a DDoS-for-Hire service. The botnet uses a Python-based C2 framework hosted on GitHub Codespaces and a Go-based remote access trojan (RAT) for command execution and communication. The malware first spawns a generic setup container from an Ubuntu image, installs necessary tools, and then builds and deploys a live container. This approach may help avoid leaving forensic artifacts on the victim machine. The malware communicates with a C2 server to receive commands and conduct attacks. The botnet's dynamic container deployment allows highly configurable attacks while concealing activity behind cloud-native architecture. The botnet targets 24,000 IP addresses with port 2375 open, though not all are exploitable. The malware sends a heartbeat signal to the C2 server every second and polls for new attack commands every five seconds. The botnet is actively used, with observed commands to launch attacks against at least one website. Additionally, the ShadowV2 botnet has been observed targeting IoT devices from D-Link, TP-Link, and other vendors with exploits for known vulnerabilities. The botnet was active during the major AWS outage in October, possibly as a test run. The malware identifies itself as 'ShadowV2 Build v1.0.0 IoT version' and is similar to the Mirai LZRD variant. The botnet supports DDoS attacks on UDP, TCP, and HTTP protocols, with various flood types for each.

Open in new tab

GPUGate Malware Campaign Targets IT Firms in Western Europe

The **GPUGate malware campaign** continues to evolve, now leveraging **Claude AI artifacts and Google Ads** to distribute **MacSync and AMOS infostealers** via **ClickFix attacks**. Over **15,600 users** have accessed malicious Claude-generated guides, which instruct victims to execute Terminal commands fetching malware payloads. This follows earlier waves abusing **ChatGPT/Grok chats, fake GitHub repositories, and malvertising** to deploy stealers targeting credentials, crypto wallets, and system data. The campaign, active since **April 2023**, has expanded from traditional phishing to **abusing AI ecosystems, supply-chain weaknesses, and trusted platforms** (e.g., Homebrew, LogMeIn, AI assistants). Russian-speaking actors operate **AMOS as a Malware-as-a-Service (MaaS)**, with stolen logs sold in underground markets to fuel fraud, ransomware, and account takeovers. The latest **Claude artifact abuse** underscores the shift toward **high-impact, scalable distribution channels**, exploiting weak platform vetting and user trust in AI-generated content. Organizations should monitor for **suspicious Terminal activity, C2 traffic to domains like `a2abotnet[.]com`, and unauthorized data egress** while educating users on **ClickFix-style lures** and unverified AI tool instructions.

Open in new tab