According to Group-IB, the DeadLock ransomware family is leveraging Polygon smart contracts to distribute and rotate proxy server addresses in order to evade security detection. First identified in July 2025, this malware employs JavaScript code embedded in HTML files that interacts with the Polygon network. It utilizes a list of RPC endpoints as gateways to fetch command-and-control server addresses controlled by attackers.
This method resembles earlier techniques such as EtherHiding, aiming to leverage decentralized ledgers to create covert communication channels that are difficult to block. DeadLock now has at least three known variants, with the latest integrating the encrypted messaging app Session to allow direct communication between attackers and victims.
- DeadLock evades tracking using decentralized technologies
- Retrieves C2 addresses via the Polygon network
- Session integration enables encrypted messaging