A new botnet called Void has emerged on the cybercrime underground, bringing a troubling twist to how attackers manage their operations remotely. Instead of relying on traditional servers that authorities can seize or shut down, Void Botnet routes its commands through Ethereum smart contracts, placing its command-and-control infrastructure entirely beyond the reach of conventional takedown efforts.
A Botnet Built on the Blockchain
First advertised in March 2026 on a Russian-language cybercrime forum, the botnet is sold as a ready-to-use loader priced at $600 with an additional $50 fee charged per build. The threat actor behind it operates under the handle TheVoidStl, with an operator alias of nikoniko. Researchers at Qrator Labs identified the malware and published their findings on May 18, 2026.
What makes Void particularly alarming is the timing of its appearance. It arrived only one month after a similar blockchain-based C2 tool called Aeternum was exposed — demonstrating that this approach to resilient C2 infrastructure is no longer a one-off experiment, but a growing trend among financially motivated threat actors.
How the Blockchain C2 Works
Void Botnet is written in Rust, making it a lightweight native binary of just 1.5 MB. The loader runs on both 32-bit and 64-bit Windows systems and features a dual-mode command-and-control system packed into a single binary.
- Decentralized mode: The operator writes instructions directly to an Ethereum smart contract. Infected machines check that contract at regular intervals, picking up new tasks within three to five minutes. There is no server to seize, no domain to block, and no registrar to contact because the commands live on a public blockchain no single authority can reach.
- Direct mode: Machines connect directly to the operator’s web panel, where tasks complete in under thirty seconds.
The operator can switch between modes at any time simply by updating the smart contract, giving them flexibility to choose speed when conditions allow and fall back to the blockchain channel when protection from takedown attempts is needed.
Capabilities: Fourteen Payload Types
The operator panel provides a detailed view of every infected machine, including its location, operating system, active antivirus software, and whether the user has administrator privileges. Tasks can be pushed to individual machines or the entire botnet fleet at once, with optional filtering by country to support targeted regional campaigns.
The panel supports fourteen distinct task types, including:
- Payload delivery as executables, DLLs, MSI packages, or PowerShell scripts
- In-memory execution to load binaries directly into process memory without touching disk, bypassing file-based scanning defenses
- Reverse shell and PowerShell tasks for live interactive sessions on compromised machines
- DDoS campaign coordination and proxy-as-a-service operations
- Credential theft targeting stored passwords and browser data
- SelfDelete and SelfUpdate commands to clean up or refresh the agent on demand
- Persistence via scheduled tasks (introduced in the v1.1 update)
A Growing Malware Portfolio
Related tools tied to the same developer include TheVoidStealer, WallStealer, and Void Miner, suggesting an active and steadily expanding malware portfolio. The commercial pricing model — charging customers per-build fees — lowers the barrier to entry for less sophisticated threat actors by providing ready-to-use botnet infrastructure on demand.
Why Blockchain C2 Is a Game-Changer for Defenders
Traditional botnet takedown methods rely on seizing servers, suspending domains, or working with registrars to block DNS resolution. None of these approaches work against a smart contract written to the Ethereum blockchain. Because the Ethereum network is decentralized and permissionless, no law enforcement agency or hosting provider can remove or modify the contract.
This fundamentally changes the economics of botnet disruption. Organizations must increasingly rely on endpoint-level defenses rather than network-level infrastructure takedowns. Security teams are advised to:
- Block or monitor traffic to known Ethereum RPC endpoints and blockchain API services from enterprise networks
- Implement behavioral detection for scheduled task creation and in-memory payload execution patterns
- Deploy anti-bot protection and DDoS mitigation at the network perimeter
- Monitor for the mutex associated with this malware family and related indicators of compromise
The Void Botnet represents a meaningful evolution in attacker resilience. As defenders become more skilled at infrastructure takedowns, threat actors are building C2 channels that are, by design, immune to those techniques. Cybersecurity teams should treat blockchain-based C2 as a serious and growing operational threat in 2026 and beyond.