DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.
This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.
Read more…
Source: Group IB
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- ToolShell: a story of five vulnerabilities in Microsoft SharePoint
July 25, 2025
On July 19–20, 2025, various security companies and national CERTs published alerts about active exploitation of on-premise SharePoint servers. According to the reports, observed attacks did not require authentication, allowed attackers to gain full control over the infected servers, and were performed using an exploit chain of two vulnerabilities: CVE-2025-49704 and CVE-2025-49706, publicly named “ToolShell”. Additionally, ...
- Mitel Releases Security Advisories for MiVoice MX-One and MiCollab
July 24, 2025
Mitel has released security advisories to address vulnerabilities in Mitel MiVoice MX-ONE and MiCollab, which are cloud-based platforms that help manage business communications. The critical vulnerability, which has no CVE identifier at the time of publishing this Cyber Alert, affects Mitel MiVoice MX-One and is an authentication bypass vulnerability with a CVSSv3 score of 9.4. Successful ...
- Disrupting active exploitation of on-premises SharePoint vulnerabilities
July 23, 2025
Expanded analysis and threat intelligence from Microsoft continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware. Based on new information, we have updated the Attribution, Indicators of compromise, extended and clarified Mitigation and protection guidance (including raising Step 6: Restart IIS for emphasis), Detections, and Hunting sections. Read more… Source: Microsoft Sign up for ...
- FBI: North Korean IT Worker Threats to U.S. Businesses
July 23, 2025
The Federal Bureau of Investigation (FBI) is providing an update to previously shared guidance regarding Democratic People’s Republic of Korea (North Korea) Information Technology (IT) workers to raise public awareness of the threat posed to U.S. businesses. North Korea is evading U.S. and U.N. sanctions by targeting private companies to illicitly generate substantial revenue for the ...
- Key figure behind XSS.IS forum arrested in Ukraine
July 23, 2025
A long-running investigation led by the French Police and Paris Prosecutor, in close cooperation with their Ukrainian counterpart and Europol, has led to the arrest of the suspected administrator of xss.is, one of the world’s most influential Russian-speaking cybercrime platforms. The forum, which had more than 50 000 registered users, served as a key marketplace for ...
- Cambodia: Authorities arrest over 3,000 suspects in nationwide online scam crackdown
July 23, 2025
The Secretariat of the Commission for Combating Online Scams (CCOS) presented the results of an operation to suppress online scam activities across the Kingdom of Cambodia yesterday. After CCOS’s initial meeting on June 27 and Prime Minister Hun Manet’s strict directive on July 15, the Unified Administrative Command in all 25 capital and provincial administrations took ...

