Void Botnet Uses Ethereum Smart Contracts for Seizure-
A new threat, the What makes Void Botnet particularly alarming is not just the technology it uses, but the timing of its appearance on criminal markets. It arrived only one month after a similar tool...
What makes Void Botnet particularly alarming is not just the technology it uses, but the timing of its appearance on criminal markets.
It arrived only one month after a similar tool called Aeternum C2 was exposed, showing that blockchain-based command-and-control infrastructure is no longer a one-off experiment from a single threat actor.
Two independently developed botnets using two different blockchains surfaced within weeks of each other, pointing to a wider shift in how cybercriminals are thinking about resilience and long-term survivability. Researchers at Qrator Labs identified the Void Botnet and published their findings on May 18, 2026.
According to Qrator Labs, said in a report shared with Cyber Security News (CSN), the malware was developed by a threat actor operating under the handle TheVoidStl, with an operator alias of nikoniko.
Related tools tied to the same developer include TheVoidStealer, WallStealer, and Void Miner, suggesting an active and steadily expanding malware portfolio.
Void Botnet Uses Ethereum Smart Contracts
Void Botnet is written in Rust, making it a lightweight native binary with a file size of just 1.5 MB. The loader runs on both 32-bit and 64-bit Windows systems and supports a wide range of post-compromise tasks that give an attacker substantial control over any machine it infects.
Its design reflects careful planning, with a strong emphasis on staying hidden and staying connected even when network conditions or defensive tools work against it.
The threats this botnet enables span a wide range, including DDoS campaigns, credential theft, and proxy-as-a-service operations.
Since the command-and-control channel lives on a public blockchain, defenders cannot simply seize a server or suspend a domain to cut off access.
That makes proactive security measures, including anti-bot protection and DDoS mitigation, more critical than ever for organizations now facing this growing class of threat.
At the heart of Void Botnet is a dual-mode command-and-control system packed into a single binary. In decentralized mode, the operator writes instructions to an Ethereum smart contract, and infected machines check that contract at regular intervals, picking up new tasks within three to five minutes.
There is no server to seize, no domain to block, and no registrar to contact because the commands live on a public blockchain no single authority can reach.
The second mode connects machines directly to the operator’s web panel, where tasks complete in under thirty seconds.
The operator can switch between modes at any time by updating the contract. This design gives the attacker flexibility to choose speed when conditions allow and fall back to the resilient blockchain channel when protection from takedown attempts is needed.
Inside the Operator Panel and Task Capabilities
The operator panel gives a buyer a detailed view of every infected machine, including its location, operating system, active antivirus software, and whether the user has administrator privileges.
Tasks can be pushed to individual machines or the entire fleet at once, with optional filtering by country to support targeted regional campaigns.
The panel supports fourteen task types. Payloads can be delivered as executables, DLLs, MSI packages, or PowerShell scripts.
A dedicated in-memory execution mode loads binaries directly into process memory without touching the disk, bypassing defenses that rely on file-based scanning.
Reverse shell and PowerShell tasks open live interactive sessions on compromised machines, while SelfDelete and SelfUpdate let the operator clean up or refresh the agent on demand. Persistence is established through a scheduled task that was introduced in the v1.1 update.
Operational Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Threat Actor Handle | TheVoidStl | Developer/seller of Void Botnet |
| Operator Alias | nikoniko | Operator alias associated with the Void Botnet campaign |
| Related Malware | TheVoidStealer | Related tool from the same developer |
| Related Malware | WallStealer | Related tool from the same developer |
| Related Malware | Void Miner | Related tool from the same developer |
| Build Language | Rust / .NET Framework 4.8 (v1.1) | Native implementation language of the loader |
| C2 Mechanism | Ethereum Smart Contracts | Blockchain-based decentralized C2 channel |
| First Observed | March 2026 | Date the listing first appeared on a Russian-language cybercrime forum |
| Pricing | $600 + $50/build | Malware-as-a-service pricing model |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.