Void Botnet Uses Ethereum Smart Contracts for Seizure-Resistant C2 Infrastructure

A new botnet called Void has emerged on the cybercrime underground, bringing a troubling twist to how attackers manage their operations remotely.

Instead of relying on traditional servers that authorities can seize or shut down, Void Botnet routes its commands through Ethereum smart contracts, placing its infrastructure entirely beyond the reach of conventional takedown efforts.

First advertised in March 2026 on a Russian-language cybercrime forum, the botnet is sold as a ready-to-use loader priced at $600 with an additional $50 fee charged per build.

What makes Void Botnet particularly alarming is not just the technology it uses, but the timing of its appearance on criminal markets.

It arrived only one month after a similar tool called Aeternum C2 was exposed, showing that blockchain-based command-and-control infrastructure is no longer a one-off experiment from a single threat actor.

Two independently developed botnets using two different blockchains surfaced within weeks of each other, pointing to a wider shift in how cybercriminals are thinking about resilience and long-term survivability.

According to Qrator Labs, said in a report shared with Cyber Security News (CSN), the malware was developed by a threat actor operating under the handle TheVoidStl, with an operator alias of nikoniko.

Related tools tied to the same developer include TheVoidStealer, WallStealer, and Void Miner, suggesting an active and steadily expanding malware portfolio.

Void Botnet Uses Ethereum Smart Contracts

Void Botnet is written in Rust, making it a lightweight native binary with a file size of just 1.5 MB. The loader runs on both 32-bit and 64-bit Windows systems and supports a wide range of post-compromise tasks that give an attacker substantial control over any machine it infects.

Its design reflects careful planning, with a strong emphasis on staying hidden and staying connected even when network conditions or defensive tools work against it.

The threats this botnet enables span a wide range, including DDoS campaigns, credential theft, and proxy-as-a-service operations.

Since the command-and-control channel lives on a public blockchain, defenders cannot simply seize a server or suspend a domain to cut off access.

That makes proactive security measures, including anti-bot protection and DDoS mitigation, more critical than ever for organizations now facing this growing class of threat.

At the heart of Void Botnet is a dual-mode command-and-control system packed into a single binary. In decentralized mode, the operator writes instructions to an Ethereum smart contract, and infected machines check that contract at regular intervals, picking up new tasks within three to five minutes.

There is no server to seize, no domain to block, and no registrar to contact because the commands live on a public blockchain no single authority can reach.

The second mode connects machines directly to the operator’s web panel, where tasks complete in under thirty seconds.

The operator can switch between modes at any time by updating the contract. This design gives the attacker flexibility to choose speed when conditions allow and fall back to the resilient blockchain channel when protection from takedown attempts is needed.

Inside the Operator Panel and Task Capabilities

The operator panel gives a buyer a detailed view of every infected machine, including its location, operating system, active antivirus software, and whether the user has administrator privileges.

Tasks can be pushed to individual machines or the entire fleet at once, with optional filtering by country to support targeted regional campaigns.

The panel supports fourteen task types. Payloads can be delivered as executables, DLLs, MSI packages, or PowerShell scripts.

A dedicated in-memory execution mode loads binaries directly into process memory without touching the disk, bypassing defenses that rely on file-based scanning.

Reverse shell and PowerShell tasks open live interactive sessions on compromised machines, while SelfDelete and SelfUpdate let the operator clean up or refresh the agent on demand. Persistence is established through a scheduled task that was introduced in the v1.1 update.

Operational Indicators of Compromise (IoCs):-

Type	Indicator	Description
Threat Actor Handle	TheVoidStl	Developer/seller of Void Botnet
Operator Alias	nikoniko	Operator alias associated with the Void Botnet campaign
Related Malware	TheVoidStealer	Related tool from the same developer
Related Malware	WallStealer	Related tool from the same developer
Related Malware	Void Miner	Related tool from the same developer
Build Language	Rust / .NET Framework 4.8 (v1.1)	Native implementation language of the loader
C2 Mechanism	Ethereum Smart Contracts	Blockchain-based decentralized C2 channel
First Observed	March 2026	Date the listing first appeared on a Russian-language cybercrime forum
Pricing	$600 + $50/build	Malware-as-a-service pricing model

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.