qerranews 
Blockchain-Based Malware Emerges
A newly identified ransomware strain known as DeadLock is drawing attention from cybersecurity researchers for its novel use of Polygon smart contracts to evade takedowns and detection. According to a recent report from cybersecurity firm Group-IB, the ransomware exploits blockchain infrastructure to rotate proxy addresses dynamically, making its command-and-control (C2) architecture highly resilient.
First discovered in July, DeadLock has so far maintained a low public profile, with no known links to major ransomware-as-a-service (RaaS) programs or data leak sites. Despite the limited number of confirmed victims, researchers warn that the malware’s innovative blockchain-based techniques could pose a serious threat if widely adopted by other threat actors.
Low Profile Yet Dangerous
Group-IB describes DeadLock as a ransomware operation with “low exposure,” largely because it has not yet been associated with public extortion campaigns or high-profile attacks. However, security experts caution that its stealthy design should not be underestimated.
The ransomware does not rely on traditional centralized servers, which are often targeted by law enforcement or cybersecurity teams for takedown operations. Instead, DeadLock embeds logic within its code that allows it to interact directly with a specific Polygon smart contract address.
This approach enables the malware to retrieve updated proxy server addresses from the blockchain, allowing attackers to rotate infrastructure seamlessly without maintaining dedicated hosting resources.
Polygon Smart Contracts Abused
At the core of DeadLock’s evasion strategy is its abuse of Polygon smart contracts as a decentralized storage mechanism for proxy addresses. These addresses are used to relay communications between infected systems and the attackers’ backend infrastructure.
By storing proxy data on-chain, DeadLock eliminates a single point of failure. Blockchain data, once published, is immutable and distributed across thousands of nodes worldwide, making it extremely difficult to disrupt or remove.
Group-IB explained that the ransomware contains embedded code capable of calling specific smart contract functions to dynamically update and retrieve command-and-control endpoints. This allows DeadLock to remain operational even if some proxy servers are blocked or seized.
Encryption And Extortion Tactics
Once a system is infected, DeadLock proceeds with file encryption, rendering victims’ data inaccessible. After the encryption phase, victims receive a ransom note threatening permanent data loss or the sale of stolen information if payment demands are not met.
While the group has not yet surfaced on popular leak sites, researchers believe the extortion component remains a core part of the operation. The lack of public leaks may be a strategic choice to maintain stealth while testing or refining the malware.
Infinite Variants Possible
Group-IB emphasized that DeadLock’s use of blockchain technology represents a highly flexible attack model. Because smart contracts can be programmed in countless ways, attackers could easily modify the technique to store encryption keys, malware payloads, or additional infrastructure data.
“This exploit of smart contracts to deliver proxy addresses is an interesting method where attackers can literally apply infinite variants of this technique; imagination is the limit,” the firm noted.
Such adaptability raises concerns that other ransomware groups could replicate or expand upon the approach, increasing the overall sophistication of blockchain-enabled malware campaigns.
Blockchain Malware Not New
While DeadLock’s use of Polygon is relatively novel, the concept of weaponizing smart contracts for malicious purposes is not unprecedented. Group-IB referenced a technique known as “EtherHiding,” which was reported by Google in October.
EtherHiding involves embedding malicious payloads directly into transactions or smart contracts on public blockchains. These payloads can later be retrieved and executed by malware, effectively transforming the blockchain into a decentralized malware delivery system.
North Korean Threat Actors
Google previously attributed EtherHiding to a North Korean-linked threat actor tracked as UNC5342. The group reportedly leveraged public blockchains to store and retrieve malicious JavaScript payloads, bypassing traditional hosting and content delivery networks.
“This approach essentially turns the blockchain into a decentralized and highly resilient command-and-control server,” Google said at the time.
The similarities between EtherHiding and DeadLock suggest a growing trend in which threat actors exploit public blockchain infrastructure to enhance persistence and evade detection.
Implications For Organizations
The emergence of DeadLock highlights the evolving intersection between blockchain technology and cybercrime. While blockchains are designed for transparency and resilience, those same properties can be exploited by attackers seeking censorship-resistant infrastructure.
Security experts urge organizations to treat even low-profile ransomware strains seriously, particularly as attackers experiment with new methods that bypass conventional defenses.
As blockchain adoption continues to grow, defenders may need to develop new monitoring tools and detection strategies capable of identifying malicious on-chain activity before it becomes widespread.