Group-IB researchers reported on Thursday that a new ransomware strain called DeadLock uses Polygon smart contracts to distribute and rotate proxy server addresses, helping operators evade detection and takedowns, and was first identified in July 2025 (see stated). The technique lets the malware fetch changing endpoints from the blockchain, complicating traditional blocking and monitoring.
The campaign has remained low profile, with few victims, no public affiliate program, and no data‑leak site. Earlier infections relied on allegedly compromised servers, but researchers now believe the operators run their own infrastructure.
The method echoes a prior campaign that used the Ethereum chain to hide payloads, which was publicly described by the Google Threat Intelligence Group (see disclosed). “Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously,” researchers warned (Ed. note: defenders should monitor blockchain-based command channels).
Technically, researchers found JavaScript in a dropped HTML file that queries a smart contract on the Polygon network for RPC endpoints. “Group-IB researchers uncovered JS code within the HTML file that interacts with a smart contract over the Polygon network,” the report added (tweet).
The malware renames encrypted files with a “.dlock” extension and replaces desktop backgrounds with ransom notes. Newer variants also claim data theft and include an HTML wrapper around the encrypted messaging app Session to facilitate victim‑operator communication, researchers said.
