DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Venture Wolf attempts to disrupt Russian businesses with MetaStealer

    November 5, 2024

    BI.ZONE Threat Intelligence has discovered a previously unknown cluster whose activity can be traced back to November 2023. Dubbed Venture Wolf, the cluster employs multiple loaders to deliver MetaStealer to the target systems. The threat actor focuses on a range of industries, including manufacturing, construction, IT, and telecommunications. Stealers maintain their position among the most popular ...

  • FBI: Easy Access to Information for Conducting Fraudulent Emergency Data Requests Impacts US-Based Companies and Law Enforcement Agencies

    November 4, 2024

    The Federal Bureau of Investigation (FBI) is releasing this Private Industry Notification to highlight a trend of compromised US and foreign government email addresses used to conduct fraudulent emergency data requests to US-based companies, exposing personally identifying information (PII). While the concept of fraudulent emergency data requests was previously used by other threat actors, such as ...

  • Crooks bank on Microsoft’s search engine to phish customers

    November 4, 2024

    Malwarebytes Labs researchers identified a new wave of phishing for banking credentials that targets consumers via Microsoft’s search engine. A Bing search query for ‘Keybank login’ currently returns malicious links on the first page, and sometimes as the top search result. Malwarebytes Labs has reported the fraudulent sites to Microsoft already. While Microsoft’s Bing only has ...

  • GoZone Ransomware Adopts Coercive Tactics to Extract Payment

    November 4, 2024

    This week, the SonicWall Capture Labs threat research team analyzed a ransomware that not only encrypts files but also accuses the victim of harboring explicit content on their computer and then threatens to turn it over to authorities if ransom is not paid. Extortion attacks often come as unsolicited emails, and GoZone has stooped to pretending ...

  • New Trend in MSI File Abuse: New OceanLotus Group First to Use MST Files to Deliver Tromas

    November 4, 2024

    During recent daily operations, the QiAnXin Threat Intelligence Center discovered that the new OceanLotus group, which we have been continuously tracking since mid-2022, has begun to re-activate and is using a new tactic of MSI file misuse. Even though the MSI TRANSFORMS technique was theoretically disclosed in 2022, this is the first time that QiAnXin researchers have ...

  • Stealc Malware Checks Everything – Even the Screen Resolution

    November 4, 2024

    This week, the SonicWall Capture Labs threat research team reviewed a sample of Stealc malware. This is an infostealer that digs through a victim’s system to extract credentials from browsers, cryptocurrency wallets and fileshare servers. Processes are monitored, as well as keystrokes, active windows and mouse clicks. It will also disable security applications and change network ...