DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.
This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.
Read more…
Source: Group IB
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Apple patches multiple vulnerabilities in iOS and iPadOS. Update now!
July 30, 2025
Apple released a security update for iOS and iPadOS to patch multiple vulnerabilities, including one that could leak sensitive information when visiting a malicious website and one that allows an attacker to display false information in the address bar. In total, 29 vulnerabilities were patched, most of them in WebKit, Apple’s web rendering engine that powers ...
- Gunra Ransomware Group Unveils Efficient Linux Variant
July 29, 2025
Gunra ransomware was first observed in April 2025 in a campaign that targeted Windows systems using techniques inspired by the infamous Conti ransomware. Trend Micror monitoring of the ransomware landscape revealed that threat actors behind Gunra have expanded with a Linux variant, signaling a strategic move toward cross-platform targeting. The novel ransomware group has already made ...
- Telecom giant Orange warns of disruption amid ongoing cyberattack
July 29, 2025
Orange, a French telecommunications giant and one of the largest phone providers in the world, announced on Monday that it was the victim of an unspecified cyberattack. In the announcement, the company said that it detected a cyberattack “on one of its information systems” on July 25, and that it proceeded to “isolate potentially affected services ...
- CVE-2025-53770 – Zero-day exploitation in the wild of Microsoft SharePoint servers
July 29, 2025
Microsoft released an advisory for CVE-2025-53770, a critical Remote Code Execution (RCE) vulnerability affecting on-premise SharePoint servers. This vulnerability has been exploited in the wild as a zero-day by an unknown threat actor prior to the disclosure from Microsoft. The vulnerability is described as an unauthenticated deserialization of untrusted data issue, and has a CVSS base ...
- Endgame Gear warns mouse config tool has been infected with malware
July 29, 2025
Gaming kit maker Endgame Gear has confirmed it was the victim of a supply chain attack which saw unidentified threat actors break into its website and replace a legitimate configuration tool with a trojanized version containing malware. In an announcement posted on the company’s website, it said on June 26 2025, someone managed to replace a ...
- Scattered Spider hackers are targeting US critical infrastructure via VMware attacks
July 28, 2025
The infamous ScatteredSpider ransomware group is using VMware instances to target critical infrastructure organizations in the US, researchers have warned. In the campaign, the hackers do not exploit any vulnerabilities, but instead go for “aggressive, creative, and particularly skilled” social engineering. They first reach out to their victim’s IT desk, impersonating an employee, and asking for ...

