DeadLock is a ransomware family discovered in July 2025. It is notable for not being associated with any known affiliate programs and for lacking a Data Leak Site (DLS). This, combined with the limited number of reported victims, has resulted in low exposure for the group. However, Group-IB specialists have discovered an interesting use of Polygon smart contracts for proxy server address rotation or distribution.
This finding warrants public attention, especially since the abuse of this specific blockchain for malicious purposes has not been widely reported. In addition, the recent discovery of similar techniques show that the abuse of smart contracts for malicious purposes could become an emerging trend.
Read more…
Source: Group IB
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- QAKBOT Loader Returns With New Techniques and Tools
November 12, 2021
QAKBOT is a prevalent information-stealing malware that was first discovered in 2007. In recent years, its detection has become a precursor to many critical and widespread ransomware attacks. It has been identified as a key “malware installation-as-a-service” botnet that enables many of today’s campaigns. Toward the end of September 2021, we noted that QAKBOT operators resumed ...
- BotenaGo botnet targets millions of IoT devices with 33 exploits
November 11, 2021
The new BotenaGo malware botnet has been discovered using over thirty exploits to attack millions of routers and IoT devices. BotenaGo was written in Golang (Go), which has been exploding in popularity in recent years, with malware authors loving it for making payloads that are harder to detect and reverse engineer. In the case of BotenaGo, only ...
- TeamTNT Upgrades Arsenal, Refines Focus on Kubernetes and GPU Environments
November 11, 2021
In previous entries, we described how the hacking group TeamTNT targeted unsecured Redis instances, exposed Docker APIs, and vulnerable Kubernetes clusters in order to deploy cryptocurrency-mining payloads and credential stealers. TeamTNT was one of the first cybercriminal groups to focus on cloud service providers (CSPs), specifically the metadata stored on elastic computing instances being run ...
- Magniber ransomware gang now exploits Internet Explorer flaws in attacks
November 11, 2021
The Magniber ransomware gang is now using two Internet Explorer vulnerabilities and malicious advertisements to infect users and encrypt their devices. The two Internet Explorer vulnerabilities are tracked as CVE-2021-26411 and CVE-2021-40444, with both having a CVSS v3 severity score of 8.8. The first one, CVE-2021-26411, was fixed in March 2021 and is a memory corruption flaw ...
- A Peek into Top-Level Domains and Cybercrime
November 11, 2021
Top-level domains (TLDs), such as .com, .net, .xxx and .hu, sit at the highest level of the domain name system (DNS) naming hierarchy. When users want to acquire domain names (e.g., paloaltonetworks.com), typically, they need to register them under a TLD directly or one level lower (e.g., google.co.uk). Properties and policies of TLDs such as ...
- New PhoneSpy Android Spyware Poses Pegasus-Like Threat
November 10, 2021
Researchers discovered new Android spyware that provides similar capabilities to NSO Group’s Pegasus controversial software. Called PhoneSpy, the mobile surveillance-ware has been spotted activity targeting South Koreans without their knowledge. PhoneSpy disguises itself as a legitimate application and gives attackers complete access to data stored on a mobile device and grants full control over the targeted ...