CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 21, 2026

Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure

Cybersecurity News Archived May 21, 2026 ✓ Full text saved

A new botnet called Void has emerged on the cybercrime underground, bringing a troubling twist to how attackers manage their operations remotely. Instead of relying on traditional servers that authorities can seize or shut down, Void Botnet routes its commands through Ethereum smart contracts, placing its infrastructure entirely beyond the reach of conventional takedown efforts. […] The post Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure appeared first on Cyber

Full text archived locally
✦ AI Summary · Claude Sonnet


    Discover more Cyberattack incident response Data breach prevention computer HomeCyber Security News Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure By Tushar Subhra Dutta May 20, 2026 A new botnet called Void has emerged on the cybercrime underground, bringing a troubling twist to how attackers manage their operations remotely. Instead of relying on traditional servers that authorities can seize or shut down, Void Botnet routes its commands through Ethereum smart contracts, placing its infrastructure entirely beyond the reach of conventional takedown efforts. First advertised in March 2026 on a Russian-language cybercrime forum, the botnet is sold as a ready-to-use loader priced at $600 with an additional $50 fee charged per build. What makes Void Botnet particularly alarming is not just the technology it uses, but the timing of its appearance on criminal markets. It arrived only one month after a similar tool called Aeternum C2 was exposed, showing that blockchain-based command-and-control infrastructure is no longer a one-off experiment from a single threat actor. Two independently developed botnets using two different blockchains surfaced within weeks of each other, pointing to a wider shift in how cybercriminals are thinking about resilience and long-term survivability. Researchers at Qrator Labs identified the Void Botnet and published their findings on May 18, 2026. According to Qrator Labs, said in a report shared with Cyber Security News (CSN), the malware was developed by a threat actor operating under the handle TheVoidStl, with an operator alias of nikoniko. Related tools tied to the same developer include TheVoidStealer, WallStealer, and Void Miner, suggesting an active and steadily expanding malware portfolio. Void Botnet Uses Ethereum Smart Contracts Void Botnet is written in Rust, making it a lightweight native binary with a file size of just 1.5 MB. The loader runs on both 32-bit and 64-bit Windows systems and supports a wide range of post-compromise tasks that give an attacker substantial control over any machine it infects. Its design reflects careful planning, with a strong emphasis on staying hidden and staying connected even when network conditions or defensive tools work against it. The threats this botnet enables span a wide range, including DDoS campaigns, credential theft, and proxy-as-a-service operations. Since the command-and-control channel lives on a public blockchain, defenders cannot simply seize a server or suspend a domain to cut off access. That makes proactive security measures, including anti-bot protection and DDoS mitigation, more critical than ever for organizations now facing this growing class of threat. At the heart of Void Botnet is a dual-mode command-and-control system packed into a single binary. In decentralized mode, the operator writes instructions to an Ethereum smart contract, and infected machines check that contract at regular intervals, picking up new tasks within three to five minutes. There is no server to seize, no domain to block, and no registrar to contact because the commands live on a public blockchain no single authority can reach. The second mode connects machines directly to the operator’s web panel, where tasks complete in under thirty seconds. The Void Botnet listing as advertised on a Russian-language cybercrime forum (Source – Qrator Labs) The operator can switch between modes at any time by updating the contract. This design gives the attacker flexibility to choose speed when conditions allow and fall back to the resilient blockchain channel when protection from takedown attempts is needed. Inside the Operator Panel and Task Capabilities The operator panel gives a buyer a detailed view of every infected machine, including its location, operating system, active antivirus software, and whether the user has administrator privileges. Tasks can be pushed to individual machines or the entire fleet at once, with optional filtering by country to support targeted regional campaigns. Task type dropdown showing all fourteen available task types (Source – Qrator Labs) The panel supports fourteen task types. Payloads can be delivered as executables, DLLs, MSI packages, or PowerShell scripts. A dedicated in-memory execution mode loads binaries directly into process memory without touching the disk, bypassing defenses that rely on file-based scanning. Reverse shell and PowerShell tasks open live interactive sessions on compromised machines, while SelfDelete and SelfUpdate let the operator clean up or refresh the agent on demand. Persistence is established through a scheduled task that was introduced in the v1.1 update. Operational Indicators of Compromise (IoCs):- Type Indicator Description Threat Actor Handle TheVoidStl Developer/seller of Void Botnet Operator Alias nikoniko Operator alias associated with the Void Botnet campaign Related Malware TheVoidStealer Related tool from the same developer Related Malware WallStealer Related tool from the same developer Related Malware Void Miner Related tool from the same developer Build Language Rust / .NET Framework 4.8 (v1.1) Native implementation language of the loader C2 Mechanism Ethereum Smart Contracts Blockchain-based decentralized C2 channel First Observed March 2026 Date the listing first appeared on a Russian-language cybercrime forum Pricing $600 + $50/build Malware-as-a-service pricing model Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Sandworm Hackers Pivot From Compromised IT Systems Toward Critical OT Assets Malware Campaign Uses JavaScript, PowerShell, and Shellcode to Deliver Crypto Clipper FreePBX Vulnerability Allow Attackers to Gain Access to User Portals Chinese APT Hackers Exploit Microsoft Exchange to Breach Energy Sector Network Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks Latest News Cyber Security News DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks Cyber Security News PinTheft Linux Vulnerability Let Attackers Gain Root Access – PoC Released ANY.RUN How to Close the Most Expensive Gap in Your SOC  Cyber Security News Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Cyber Security News Pardus Linux Local Privilege Escalation Flaw Allows Silent Root Access
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 21, 2026
    Archived
    May 21, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗