DeadLock Ransomware Using Polygon Smart Contracts to Evade Detection

A newly discovered strain of ransomware is using Polygon smart contracts for proxy server address rotation and distribution to infiltrate devices, cybersecurity firm Group‑IB warned on Thursday.

The malware, dubbed DeadLock, was first identified in July 2025 and has so far attracted little attention because it lacks a public affiliate program and a data‑leak site and has infected only a limited number of victims, according to the company.

“Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously,” Group-IB said in a blog.

DeadLock’s use of smart contracts to deliver proxy addresses is “an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit,” the firm noted. Group-IB pointed to a recent report by the Google Threat Intelligence Group highlighting the use of a similar technique called “EtherHiding” employed by North Korean hackers.

What is EtherHiding?

EtherHiding is a campaign disclosed last year in which DPRK hackers used the Ethereum blockchain to conceal and deliver malicious software. Victims are typically lured through compromised websites—often WordPress pages—that load a small snippet of JavaScript. That code then pulls the hidden payload from the blockchain, allowing attackers to distribute malware in a way that is highly resilient to takedowns.

Both EtherHiding and DeadLock repurpose public, decentralized ledgers as covert channels that are difficult for defenders to block or dismantle. DeadLock takes advantage of rotating proxies, which are servers that regularly change the IP of a user, making it harder to track or block.

While Group‑IB admitted that “initial access vectors and other important stages of the attacks remain unknown at this point,” it said DeadLock infections rename encrypted files with a “.dlock” extension and replace desktop backgrounds with ransom notes.

Newer versions also warn victims that sensitive data has been stolen and could be sold or leaked if a ransom is not paid. At least three variants of the malware have been identified so far.

Earlier versions relied on allegedly compromised servers, but researchers now believe the group operates its own infrastructure. The key innovation, however, lies in how DeadLock retrieves and manages server addresses.

“Group-IB researchers uncovered JS code within the HTML file that interacts with a smart contract over the Polygon network,” it explained. “This RPC list contains the available endpoints for interacting with the Polygon network or blockchain, acting as gateways that connect applications to the blockchain’s existing nodes.”

Its most recently observed version also embeds communication channels between the victim and attacker. DeadLock drops a HTML file that acts as a wrapper around the encrypted messaging app Session.

“The main purpose of the HTML file is to facilitate direct communication between the DeadLock operator and the victim,” Group‑IB said.