A new ransomware family named DeadLock is implementing the use of Polygon smart contracts to distribute and rotate proxy server addresses. According to the cybersecurity firm Group-IB, this advanced technique allows the malware to infiltrate devices by bypassing traditional security systems. The official report highlights that this innovative method makes tracking criminal activities difficult for defenders.
Since its initial identification in July 2025, the malware has maintained a low profile in the ecosystem. This is mainly because it lacks a public affiliate program or a dedicated data leak site. Therefore, the initial impact has been limited to few targets specifically. Nevertheless, researchers warn that its technical capacity represents a growing and dangerous threat for companies.
The technique used by DeadLock shares similarities with previous campaigns detected on networks like Ethereum. In these cases, attackers take advantage of network immutability to host malicious code snippets. In this way, criminals ensure that their infrastructure is highly resilient to takedowns. Likewise, the use of rotating proxies complicates the identification of the primary command and control nodes.
Advanced evasion strategies through the decentralized infrastructure of the network
The use of Polygon smart contracts allows DeadLock operators to manage endpoints dynamically. Group-IB discovered JavaScript code that interacts directly with the network to obtain new gateways. So the decentralized architecture becomes a safe haven for malicious code. In addition, the ransomware uses blockchain as a covert channel that is virtually impossible to dismantle completely.
Furthermore, the most recent versions of this malware include direct communication methods with the victims. DeadLock uses an HTML file that acts as a wrapper for the encrypted messaging application Session. Therefore, attackers establish totally private and secure negotiation channels for payments. In this way, the ransomware evolves toward a sophistication that challenges current digital protection standards.
What are the main signs of infection detected in compromised computers?
On the other hand, infected systems show evident changes in the structure of their digital files. The ransomware renames encrypted documents with the “.dlock” extension and modifies the desktop background. In addition, the ransom notes warn about the potential sale of sensitive information. So psychological pressure on the user is a key component of the attack. So far, at least three different variants of this threat have been identified.
Finally, the group’s lack of public visibility should not be interpreted as an absence of risk. Experts suggest that DeadLock’s development demonstrates a highly evolved set of technical skills. Therefore, organizations must strengthen their network monitoring protocols immediately. The cybersecurity market expects an increase in the use of these decentralized tactics soon. Likewise, international cooperation will be vital to mitigate these complex attacks.
