Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

DeadLock ransomware uses Polygon smart contracts for proxy rotation

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 2 articles

Summary

Hide ▲

DeadLock ransomware is now using Polygon smart contracts to rotate proxy server addresses, making its C2 infrastructure harder to block. The activity has been seen since July 2025 and remains low volume, but the design adds resilience and operational flexibility. New samples also show victim communication through Session and file encryption marked with a .dlock extension.

Related Happenings

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

Trigona ransomware uploader_client.exe exfiltration activity

Malware Activity
First: 23.04.2026 21:59 Last: 23.04.2026 21:59 Sources 1

About this happening: Trigona ransomware is now using **uploader_client.exe** to steal data from compromised environments faster, making exfiltration more efficient and harder to spot. The tool was see...

Open Happening

PowMix phishing campaign targeting Czech workforce

Campaign
First: 16.04.2026 20:52 Last: 16.04.2026 20:52 Sources 1

About this happening: The **PowMix** campaign is actively targeting the **Czech Republic’s workforce**, raising the risk of **remote access** and **remote code execution** on compromised systems. The i...

Open Happening

2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates

Target Trend
First: 17.03.2026 23:41 Last: 17.03.2026 23:41 Sources 1

About this happening: **Ransomware operators** are increasingly leaning on **built-in Windows tooling** while **ransom payment rates** continue to decline across **2025**, weakening extortion returns f...

Open Happening

LeakNet ransomware gang ClickFix and Deno in-memory loader activity

Malware Activity
First: 17.03.2026 14:09 Last: 17.03.2026 14:09 Sources 1

About this happening: The **LeakNet ransomware gang** has adopted **ClickFix** initial access and a **Deno-based loader** that executes malicious code in memory, making intrusions harder to detect and...

Open Happening

Timeline

  1. 14.01.2026 16:20 3 articles · 4mo ago

    Researchers describe DeadLock's Polygon smart-contract proxy rotation

    Technical Analysis Update

    Researchers observed DeadLock ransomware abusing Polygon blockchain smart contracts to manage and rotate proxy server addresses instead of relying on hard-coded servers. The malware uses an HTML file and Session encrypted messaging for victim communication, queries a specific Polygon smart contract through JavaScript to obtain the current proxy URL, and can fall back to multiple RPC endpoints. Group-IB also linked the infrastructure to a single creator wallet funded shortly before deployment and noted related behavior including AnyDesk remote management, PowerShell commands to stop services and delete shadow copies, and file renaming with the .dlock extension.

    Show sources
    Open in new tab