DeadLock, a ransomware group that first emerged in July 2025, has made information once more, and this time it’s for abusing Polygon blockchain smart contracts to handle and rotate proxy server addresses, in accordance with analysis revealed by cybersecurity agency Group-IB.
The ransomware operation makes use of blockchain-based smart contracts to retailer the group’s proxy server URL, permitting frequent rotation that makes it tough for defenders to completely block infrastructure.
After encrypting a sufferer’s programs, DeadLock drops an HTML file that acts as a wrapper for the decentralized messaging platform, Session.
How does the DeadLock ransomware work on Polygon?
Embedded JavaScript code inside the file queries a selected Polygon smart contract to acquire the present proxy URL, which then relays encrypted messages between the sufferer and the attacker’s Session ID.
These read-only blockchain calls generate no transactions or charges, making them cost-free for the attackers to keep up.
Group-IB researchers famous that the exploit of smart contracts to ship proxy addresses is an attention-grabbing technique the place attackers can apply infinite variants of this method, with creativeness being the one restrict.
The method isn’t nicely documented and under-reported however its utilization is steadily gaining traction within the wild, in accordance with safety researchers.
Investigation by Cisco Talos revealed that DeadLock positive aspects preliminary entry by exploiting CVE-2024-51324, a Baidu Antivirus vulnerability, utilizing a way often known as “bringing your personal susceptible driver” to terminate endpoint detection and response processes.
DeadLock comes up with new extortion ways
DeadLock is totally different from most ransomware operations as a result of it abandons the standard double extortion method and doesn’t have a knowledge leak web site the place it might publicize assaults.
As a substitute, the group threatens to promote stolen knowledge on underground markets whereas providing victims safety reviews and guarantees to not re-target them if ransom is paid.
Group-IB’s infrastructure monitoring has not drawn any threads between DeadLock and any recognized ransomware affiliate packages. The truth is, the group maintains a comparatively low profile. Nevertheless, they discovered smart contract copies that had been first created and up to date in August 2025 and later up to date in November 2025.
Group-IB said that it efficiently “tracked its infrastructure by blockchain transactions, revealing funding patterns and lively servers.”
Nation-state actors undertake comparable methods
Google Threat Intelligence Group noticed North Korean risk actor UNC5342 utilizing a associated method referred to as EtherHiding to ship malware and facilitate cryptocurrency theft since February 2025.
Based on Google, “EtherHiding entails embedding malicious code, usually within the type of JavaScript payloads, inside a smart contract on a public blockchain like BNB Smart Chain or Ethereum.”
Polygon occurs to be a layer-2 blockchain that’s constructed on Ethereum’s layer-1 infrastructure.
Whereas DeadLock stays low quantity and low affect, safety researchers warn that it applies modern strategies showcasing a ability set that may grow to be harmful if organizations don’t take the risk it poses critically.
Aside from calling on companies to be proactive in detecting malware, Group-IB advisable that they need to add extra layers of safety, equivalent to multifactor authentication and credential-based options.
The cybersecurity agency additionally said that companies ought to have a knowledge backup, prepare their workers, patch up vulnerabilities, and, very importantly, “by no means pay the ransom” however contact incident response consultants as rapidly as attainable in the event that they ever get attacked.
For those who’re studying this, you’re already forward. Stay there with our newsletter.
