DeadLock Ransomware: Smart Contracts for Malicious Purposes


DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.

This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.

Read more…
Source: Group IB


Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox


Related:

  • Cyber security in critical industries: challenges, solutions, and the road ahead

    August 30, 2024

    In an era of rapid digital transformation, cyber security has emerged as a paramount concern, particularly for critical industries such as energy, healthcare, and transportation. As we approach the IET’s Cyber Security for Critical Industries 2024 conference, it is essential to delve into the latest cyber security challenges and explore how building resilient and responsive ...

  • North Korean threat actor Citrine Sleet exploiting Chromium zero-day

    August 30, 2024

    On August 19, 2024, Microsoft identified a North Korean threat actor exploiting a zero-day vulnerability in Chromium, now identified as CVE-2024-7971, to gain remote code execution (RCE). Microsoft researchers assess with high confidence that the observed exploitation of CVE-2024-7971 can be attributed to a North Korean threat actor targeting the cryptocurrency sector for financial gain. Microsoft ...

  • Silent Intrusions: Godzilla Fileless Backdoors Targeting Atlassian Confluence

    August 30, 2024

    Trend Micro observed a new attack vector of weaponization for the vulnerability CVE-2023-22527 using the Godzilla backdoor. Following initial exploitation, a loader was loaded into the Atlassian victim server which loads a Godzilla webshell. On January 16, 2024, Atlassian released a security advisory for CVE-2023-22527, a vulnerability that affects Confluence Data Center and Confluence Server products. In ...

  • Chennai bomb threat mails: Serious setback for police as Microsoft refuses to share vital information

    August 30, 2024

    Chennai cybercrime police has faced a serious setback in its investigations into the more than three dozen hoax bomb emails sent to schools, colleges, and the airport, ToI reported on August 30. Microsoft has refused to share crucial information regarding the mails, the report by ToI’s A Selvaraj said. These emails, the latest of which coincided ...

  • 85 cyber attacks on Việt Nam’s sites, portals last week

    August 30, 2024

    A total of 85 cases of cyber attacks on Việt Nam’s websites and information portals were reported in the past week, according to the Authority of Information Security (under the Ministry of Information and Communications). Seventy four were phishing attacks and eleven were malware installations. According to the information security authority, attackers have been using malicious ...

  • #StopRansomware: RansomHub Ransomware

    August 29, 2024

    The Federal Bureau of Investigation (FBI) and partners are releasing this joint advisory to disseminate known RansomHub ransomware IOCs and TTPs. These have been identified through FBI threat response activities and third-party reporting as recently as August 2024. RansomHub is a ransomware-as-a-service variant—formerly known as Cyclops and Knight—that has established itself as an efficient and successful ...