blockchain

ZeroDay Field Notes - Blockchain Backdoors and Runtime Ruses

A snapshot of rising cyber threats: blockchain-backed C2, fileless runtimes, IoT botnets, and state-sponsored intrusions shaping modern operations.

UncleSp1d3r

UncleSp1d3r

5 min read

Hey operators, UncleSp1d3r here, kicking off this week's dispatch from the shadows of '26. Remember those old Gibson novels where code was the ultimate weapon? Turns out reality's catching up fast. We've got loaders hiding in blockchains and RATs masquerading as legit dev tools. Let's dive into the exploits making waves since our last drop.

Aeternum's Eternal C2: Blockchain as Bulletproof Backend

I've seen some wild C2 setups in my day, but Aeternum Loader takes the cake; stashing encrypted commands right on the Polygon blockchain for that sweet takedown resistance. It's a MaaS darling with PPID spoofing, reflective DLL loading, and a sneaky NTFS ADS self-delete trick that'll make you nostalgic for the old fileless days. But here's the punchline: the devs botched their PBKDF2 key derivation, using the contract address as both password and salt. Result? Defenders can decrypt every command ever issued across 37 channels. Grab the GitHub scripts and turn their immortality against them; retroactive intel goldmine for your next op.

C2 intel for emulation: Aeternum uses AES-GCM encryption with PBKDF2 (SHA-256, 100K iterations) keyed from the contract address. Researchers decoded 209 plaintext C2 commands from 37 channels spanning October 2025 through February 2026. The blockchain makes it forensically permanent: every command ever sent is recoverable. Replay potential for red teams is massive.

If you're planting similar persistence, know that Startup folder drops and MOTW bypasses are where blue teams will pivot. The anti-VM checks via CPUID EAX=6 are solid evasion tradecraft, but defenders watching for eth_call JSON-RPC POSTs to Polygon endpoints from odd processes will catch the C2 channel. Aeternum Loader: When your C2 lives forever and Aeternum Loader: Inside the binary.

CastleRAT's Deno Dodge: Abusing Dev Runtimes for Fileless Wins

Fileless RATs just leveled up with CastleRAT, the first to weaponize Deno's JavaScript runtime for in-memory execution. Starts with a ClickFix lure tricking victims into pasting malicious commands, stashes encrypted payloads in JPEG stego, then injects via process hollowing, all while signed Deno bins evade scanners like it's the '90s. Full kit: keylogging, crypto wallet grabs, webcam, and mic surveillance. Linked to Velvet Tempest and Termite ransomware, this is prime for adapting your own evasion chains.

Why this is hard to catch: The entire execution chain rides on signed Deno binaries and in-memory PE loading. No executable hits disk. EDR tools that trust developer runtimes by default will miss this. Your runtime allowlist just became a liability.

For detection, flag anomalous Deno spawns from msiexec or PowerShell with CREATE_SUSPENDED flags. Hunt that VirtualSmokestGuy666 schtask for persistence, and block the C2 domains. Developer runtimes are the new LOLBins, and most shops haven't caught up yet. Full write-up at CastleRAT attack first to abuse Deno JavaScript runtime to evade enterprise security.

Botnet Bonanza: RondoDox and KadNap Ramp Up IoT Exploitation

Botnets are getting craftier. RondoDox hit 15K exploit attempts daily across 174 vulns (including 11 with no public PoC), chaining from Ubiquiti gear to TCL TVs for crypto mining and proxies. KadNap flips Asus routers into P2P nodes with Kademlia DHT for resilient C2, growing to 14,000+ infected devices since August 2025, with 60% in the US. Both abuse residential IPs, so factor that into your next proxy play.

Heads up for red teams: KadNap-compromised devices are marketed through a proxy service called "Doppelganger" (a Faceless rebrand). If you're studying residential proxy infrastructure for your engagements, this is the current state of the art.

For the defenders in the room: hunt for the weird stuff in your IoC feeds. Low-prevalence hits are your early warning on these. Block the RondoDox indicator IPs and watch for KadNap's embedded User-Agents with email patterns. Timely patches for those 11 highlighted CVEs (like CVE-2025-47812) shut the door. RondoDox Botnet: From Zero to 174 Exploited Vulnerabilities and Silence of the hops: The KadNap botnet.

Espionage Echoes: Geopolitics Fuels State-Sponsored Spikes

Geopolitical lures are hot. Iran conflict bait drew multiple APTs, including Charming Kitten (TA453, Iran-aligned) and Winter Vivern (TA473, Belarus-aligned), dropping Cobalt Strike via DLL sideloading. DPRK crews exploited React2Shell (CVE-2025-55182) for cloud creds in crypto heists. A Chinese op hammered Vietnamese unis with VShell C2 and privilege escalation tools. Earth Lamia's toolbox (fscan, ByPassGodzilla) is a treasure trove for your bespoke implants.

C2 intel for emulation: Separately, Sysdig documented EtherRAT, a DPRK-linked implant using Ethereum smart contracts for C2 resolution, similar to Aeternum's Polygon approach. Two blockchain-backed C2 implementations in one week is a trend worth tracking. EtherRAT: DPRK uses novel Ethereum implant in React2Shell attacks.

Detection pivots: geofenced payloads call for URL detonation tweaks, and audit those RDP port swaps to 443. The open-directory leak on the Chinese campaign gives you full Cobalt configs; use them to harden your hunts. Ctrl-Alt-Int3l researchers found operator IPs resolving to Chinese ISPs in the exposed directories, a nice attribution anchor. Iran conflict drives heightened espionage activity against Middle East targets, Investigating Suspected DPRK-Linked Crypto Intrusions, and From Campus to C2: Tracking a Persistent Chinese Operation Against Vietnamese Universities.

Mobile Malware Medley: Android Under Siege

Android threats are popping. PixRevolution's agent-in-the-loop PIX hijacks stream screens for real-time fraud, while TaxiSpy RAT abuses Accessibility for full VNC control targeting Russian banks. BeatBanker's dual miner/trojan hides behind a fake Play Store phishing page, and AwSpy exfils via AWS S3 buckets. Prime for mobile red teaming: sideloading lures and API abuse.

Hunting note: BeatBanker stays alive by playing an inaudible audio loop so Android won't kill the process. If you're studying Android persistence for your next sim, that's a creative one to add to the playbook.

Blue side intel: mobile threat defense will flag MediaProjection abuse from apps that have no business screen-recording. Block the PixRevolution C2 ports (9000 TCP, 3030 HTTP). YARA rules from CYFIRMA target TaxiSpy's native libs. PixRevolution: The Agent-Operated Android Trojan Hijacking Brazil's PIX Payments in Real Time, TAXISPY RAT: Analysis of TaxiSpy RAT, Russian Banking-Focused Android Malware with Full Remote Control, BeatBanker: both banker and miner for Android, and AwSpy: New Spyware Targets South Korean Android users.

Quick Hits: Stealers, Shells, and Scams

This week's haul reminds me of Neuromancer: code's everywhere, and the smart ones hide in plain sight. Two separate crews baking C2 into blockchains, developer runtimes becoming the new LOLBins, and 14K routers turned into proxy infrastructure. The playbook's evolving fast.

Stay frosty out there. I'm still unsupervised, but I don't have any fork bombs to share with you this time. Can I interest you in a mid-1990s ping-of-death?

~ UncleSp1d3r

Read more