A new botnet called Void has emerged on the cybercrime underground, bringing a troubling twist to how attackers manage their operations remotely. Instead of relying on traditional servers that authorities can seize or shut down, Void Botnet routes its commands through Ethereum smart contracts — placing its infrastructure entirely beyond the reach of conventional law enforcement takedown efforts.
Background: A Growing Trend in Blockchain-Based C2
First advertised in March 2026 on a Russian-language cybercrime forum, Void Botnet is sold as a ready-to-use loader priced at $600 with an additional $50 fee charged per build. The malware was developed by a threat actor operating under the handle TheVoidStl, with an operator alias of nikoniko. Related tools tied to the same developer include TheVoidStealer, WallStealer, and Void Miner, suggesting an active and steadily expanding malware portfolio.
Researchers at Qrator Labs, who identified and documented the botnet in a report published May 18, 2026, noted that Void arrived only one month after a similar tool called Aeternum C2 was exposed. This means two independently developed botnets using two different blockchains surfaced within weeks of each other — pointing to a broader shift in how cybercriminals are thinking about resilience and long-term survivability.
How Ethereum Smart Contracts Power the C2
At the heart of Void Botnet is a dual-mode command-and-control system packed into a single binary. In decentralized mode, the operator writes instructions to an Ethereum smart contract, and infected machines check that contract at regular intervals, picking up new tasks within three to five minutes. There is no server to seize, no domain to block, and no registrar to contact — the commands live on a public blockchain that no single authority can reach.
The second mode connects machines directly to the operator’s web panel, where tasks can complete in under thirty seconds. The operator can switch between modes at any time by updating the contract. This design gives the attacker flexibility to choose speed when conditions allow, and fall back to the resilient blockchain channel when protection from takedown attempts is needed.
Technical Profile: A Lean, Capable Loader
Void Botnet is written in Rust, making it a lightweight native binary with a file size of just 1.5 MB. The loader runs on both 32-bit and 64-bit Windows systems and supports a wide range of post-compromise tasks. Its design reflects careful planning, with a strong emphasis on staying hidden and staying connected even when network conditions or defensive tools work against it.
The operator panel gives buyers a detailed view of every infected machine, including its location, operating system, active antivirus software, and whether the user has administrator privileges. Tasks can be pushed to individual machines or the entire fleet at once, with optional filtering by country to support targeted regional campaigns. The panel supports fourteen task types, including:
- Payload delivery as executables, DLLs, MSI packages, or PowerShell scripts
- In-memory execution mode that loads binaries directly into process memory without touching disk, bypassing file-based scanning
- Reverse shell and PowerShell tasks opening live interactive sessions on compromised machines
- SelfDelete and SelfUpdate capabilities for operational cleanup and agent refreshing
- Persistence through a scheduled task introduced in the v1.1 update
- DDoS campaign launching, credential theft, and proxy-as-a-service operations
Why This Is a Game-Changer for Defenders
Traditional botnet takedown operations rely on identifying and seizing command-and-control servers, suspending domains, or working with registrars and hosting providers. None of these options are available when the C2 channel runs through a public blockchain. Law enforcement agencies and network defenders cannot issue takedown requests to the Ethereum network.
This architectural shift means that organizations must increasingly rely on endpoint-level behavioral detection, since network-level blocking of known C2 infrastructure becomes ineffective. Defenders should consider blocking outbound connections to Ethereum RPC endpoints from non-approved applications and monitoring for unusual scheduled task creation, which Void uses for persistence.
Operational Indicators of Compromise
- Threat Actor Handle: TheVoidStl (developer/seller)
- C2 Mechanism: Ethereum Smart Contracts (decentralized channel)
- Build Language: Rust / .NET Framework 4.8 (v1.1)
- First Observed: March 2026 on Russian-language cybercrime forum
- Pricing: $600 + $50/build