Void Botnet Uses Ethereum Smart Contracts to Keep Its Command Channel Online

A new botnet called Void is using Ethereum smart contracts as part of its command-and-control system, making the malware harder to disrupt through traditional takedowns. Instead of depending only on a central server or domain, the botnet can retrieve operator commands from blockchain-based infrastructure.

Researchers say the malware appeared on a Russian-language cybercrime forum in March 2026 as a commercial loader. The listing priced the tool at $600, with an extra $50 fee per build.

The campaign matters because Void is not the only recent botnet to move command-and-control activity onto a blockchain. Its emergence shortly after Aeternum C2 suggests that blockchain-based C2 is becoming a practical feature in malware-as-a-service operations, not just an isolated experiment.

What makes Void Botnet different?

Void Botnet stands out because it uses a dual command system. In one mode, the operator writes commands to Ethereum smart contracts, and infected machines check those contracts for new tasks. In another mode, bots can connect directly to a web panel for faster task execution.

This gives attackers a balance between resilience and speed. The blockchain route makes disruption harder because there is no normal server to seize or domain to suspend. The web panel route lets the operator push commands more quickly when the direct channel remains available.

The malware was reportedly developed by a threat actor using the handle TheVoidStl. The same ecosystem has also been linked to tools named TheVoidStealer, WallStealer, and Void Miner.

Void Botnet at a glance

Detail	Information
Malware name	Void Botnet
First advertised	March 2026
Main platform	Windows
Language	Rust
C2 method	Ethereum smart contracts and direct web panel mode
Reported price	$600, plus $50 per build
Potential uses	Payload delivery, DDoS activity, credential theft support, proxy abuse, and remote control

How the Ethereum command system works

In decentralized mode, the operator places instructions inside an Ethereum smart contract. Infected systems then poll public blockchain access points and retrieve those commands at regular intervals.

Researchers say this polling can deliver new tasks within about three to five minutes. That is slower than a direct web panel, but it gives the operator a more durable backup channel.

The key advantage for attackers is infrastructure survival. A traditional botnet often depends on domains, hosting providers, or command servers. Defenders can block, seize, or sinkhole those assets. A public blockchain does not offer the same single point of failure.

Why direct panel mode still matters

Void does not rely only on Ethereum. It also includes a direct panel mode that can issue commands in under 30 seconds, according to the published research.

This design makes the botnet more flexible. When the direct channel works, the operator can use it for faster control. If defenders disrupt that path, the blockchain channel can keep the botnet reachable.

The operator panel also gives buyers information about infected systems. That includes details such as the device location, operating system, antivirus software, and whether the compromised user has administrator privileges.

What attackers can do with Void Botnet

Void is marketed as a loader, which means its core value comes from delivering and running other payloads on infected machines. That can support several criminal operations after the first compromise.

• Run executable payloads on infected systems.
• Load DLL files or MSI packages.
• Execute PowerShell commands.
• Open reverse shell sessions.
• Run payloads in memory to reduce disk-based detection.
• Update the bot agent after deployment.
• Remove the bot through a self-delete function.
• Filter infected machines by country for targeted campaigns.

These features can support malware distribution, credential theft, proxy networks, and DDoS operations. The exact risk depends on how a buyer uses the infected machines after deployment.

Aeternum C2 showed the same direction

Void appeared after researchers documented Aeternum C2, another commercial botnet loader that used blockchain infrastructure for command delivery. Aeternum used Polygon smart contracts, while Void uses Ethereum smart contracts.

The two malware families reportedly differ in language, developer, and blockchain choice. Aeternum was described as a C++ loader, while Void is written in Rust.

The shared idea is more important than the technical differences. Criminal operators are trying to make command infrastructure harder to remove by moving instructions into decentralized systems.

Why defenders should care

Blockchain-based C2 changes the response model. A company can still block known network indicators, remove infected hosts, and monitor endpoint behavior, but it cannot treat server seizure as the only answer.

Security teams also need to watch for loaders that switch between command channels. A direct panel connection may appear during normal operation, while blockchain polling may appear when the operator wants more resilience.

Detection should focus on behavior, process activity, payload execution, persistence, PowerShell use, unusual outbound traffic, and signs of bot enrollment. The blockchain element makes disruption harder, but it does not make infected endpoints invisible.

Possible warning signs

Area	What to watch
Endpoint behavior	Unexpected loaders, new scheduled tasks, suspicious PowerShell commands, and in-memory execution patterns
Network activity	Unusual access to public blockchain RPC endpoints from standard user devices
Payload execution	Unknown executables, DLL loading, MSI installation, and unsigned or suspicious binaries
Privilege context	Malware activity running under administrator-level accounts
Bot management	Traffic patterns suggesting periodic task polling or centralized panel communication

How organizations can reduce the risk

Organizations should treat Void as part of a broader malware-as-a-service trend. The most useful defensive steps are still the basics, but they need consistent enforcement.

• Restrict PowerShell and script execution where users do not need it.
• Monitor unusual access to blockchain RPC endpoints from corporate devices.
• Use endpoint detection rules that focus on behavior rather than file names alone.
• Block unauthorized remote shells, loaders, and in-memory execution attempts.
• Review scheduled tasks and startup entries for unknown persistence.
• Segment important systems so one infected endpoint cannot expose the wider network.
• Keep Windows, browsers, endpoint agents, and security tools updated.

Security teams should also review DDoS and bot mitigation plans. A loader with resilient command infrastructure can help attackers maintain access to a fleet of infected machines for longer periods.

The bigger trend

Void Botnet shows how cybercriminals are adapting ideas from decentralized technology for malware operations. Smart contracts were built for programmable blockchain activity, but attackers can abuse the same availability and persistence for command delivery.

This does not mean every blockchain connection is suspicious. Many legitimate tools use blockchain infrastructure. However, unusual blockchain polling from endpoints that do not need it should receive closer attention.

The main lesson is that takedown-resistant command channels are becoming easier for criminal buyers to access. Defenders need visibility across endpoints, scripts, outbound traffic, and post-compromise activity to keep pace.

FAQ