Headline: DeadLock Ransomware Abuses Polygon Smart Contracts to Rotate Proxies and Evade Takedowns A newly discovered ransomware strain called DeadLock is using Polygon smart contracts as part of a stealthy infrastructure to rotate proxy addresses and distribute payloads, cybersecurity firm Group‑IB warned on Thursday (Jan. 15, 2026). First spotted in July 2025, DeadLock has infected only a handful of victims so far and operates with a low profile—no public affiliate program or data‑leak site has been observed—but its novel use of blockchain tech has researchers concerned. How it works - Attackers typically lure victims via compromised websites (often WordPress). A small JavaScript snippet loaded by the site reaches into the blockchain to retrieve hidden payloads and proxy information. - Group‑IB found JavaScript embedded in HTML that calls a smart contract on the Polygon network. That contract stores an RPC list—endpoints that act as gateways to Polygon nodes—which the malware uses to discover proxy servers. - By leveraging rotating proxies (servers that regularly change IP addresses), attackers make tracking and blocking command-and-control infrastructure much harder. Group‑IB said the technique effectively repurposes a public, decentralized ledger as a covert distribution and control channel. Technical context and predecessors - Group‑IB linked DeadLock’s approach to a previous method dubbed “EtherHiding,” highlighted last year by Google’s Threat Intelligence Group. In EtherHiding, DPRK-linked actors used the Ethereum blockchain to conceal and deliver malware. Both campaigns show a trend: decentralized ledgers being misused as resilient covert channels that are difficult for defenders to dismantle. Observed behavior and variants - Infected systems have files encrypted with a “.dlock” extension and desktop backgrounds replaced with ransom notes. Newer DeadLock samples also threaten victims with data theft and possible sale or leakage unless a ransom is paid. - Researchers have identified at least three DeadLock variants. Early versions relied on apparently compromised third‑party servers; newer samples suggest the operators may now be running their own infrastructure. - The latest observed samples include an HTML file that wraps the encrypted messaging app Session. Group‑IB says this wrapper facilitates direct communication between the operator and the victim, embedding a channel for negotiations or demands. Why it matters Group‑IB described DeadLock as “low profile and yet low impact” to date, but warned its inventive methods demonstrate an evolving skillset that “might become dangerous if organizations do not take this emerging threat seriously.” The firm noted attackers can create essentially infinite variants of smart‑contract driven distribution and proxy rotation, making imaginative use of blockchain features a growing risk vector. Takeaway DeadLock is not yet widespread, but its use of Polygon smart contracts to manage proxy endpoints and deliver payloads marks a significant evolution in how ransomware authors can exploit public blockchains for resilient, hard‑to‑take‑down infrastructure. Security teams and crypto platforms should monitor for these tactics as decentralized ledgers continue to be weaponized in novel ways. Read more AI-generated news on: undefined/news

#BTC #ETH