Aeternum Loader: When your C2 lives forever

This report analyzes Aeternum Loader, a malware loader that publishes encrypted C2 commands to Polygon smart contracts. Researchers found an exposed operator panel and source code, reverse-engineered the smart contract ABI and encryption, and discovered that the PBKDF2/AES-GCM implementation derives keys solely from the contract address—allowing decryption of historical commands. Using this weakness and bytecode pivoting, they enumerated ~394 similar contracts, successfully decrypted commands from 37 channels (209 plaintext commands), identified numerous malware-hosting URLs and creator addresses (notably LenAI’s address), and published IoCs for defenders to monitor and block.