Cybersecurity firm Group-IB has issued a warning about a new ransomware strain, dubbed DeadLock, which is leveraging Polygon smart contracts to distribute and rotate proxy server addresses, enabling it to evade traditional detection methods. The malware was first identified in July 2025 and has maintained a low profile due to its limited number of victims, lack of a public affiliate program, and absence of a data-leak site.
The technique mirrors a previously disclosed campaign known as "EtherHiding," where North Korean hackers used the Ethereum blockchain to conceal and deliver malware. DeadLock repurposes the public, decentralized Polygon ledger as a covert channel, making it difficult for defenders to block or dismantle its infrastructure. The ransomware retrieves a list of proxy server addresses from a smart contract, allowing attackers to use rotating proxies that regularly change IP addresses, complicating tracking efforts.
Group-IB researchers discovered JavaScript code within an HTML file that interacts with a smart contract on the Polygon network. "This RPC list contains the available endpoints for interacting with the Polygon network or blockchain, acting as gateways that connect applications to the blockchain’s existing nodes," the firm explained. The malware also embeds communication channels, using an HTML file as a wrapper around the encrypted messaging app Session to facilitate direct contact between the attacker and victim.
While the initial access vectors remain unknown, DeadLock infections are characterized by renaming encrypted files with a ".dlock" extension and replacing desktop backgrounds with ransom notes. Newer variants also warn victims that sensitive data has been stolen and could be sold or leaked if a ransom is not paid. At least three variants of the malware have been identified.
"Although it’s low profile and yet low impact, it applies innovative methods that showcases an evolving skillset which might become dangerous if organizations do not take this emerging threat seriously," Group-IB stated in a blog post. The firm emphasized that this method allows attackers to apply infinite variants of the technique, posing a significant challenge to cybersecurity defenses.
