DeadLock, Ransomware, Researchers Claim a New Abuse of Polygon Blockchain for Stealthy C2 Infrastructure

Listen to this Post

Featured Image

Introduction: When Ransomware Meets Decentralized Infrastructure

Ransomware operations are no longer confined to bulletproof hosting, fast-flux DNS, or disposable VPS infrastructure. A newer generation of threat actors is quietly experimenting with decentralized technologies to make their operations harder to track, block, and dismantle. DeadLock ransomware, a low-profile but technically intriguing operation first seen in mid-2025, represents this shift. By abusing smart contracts on the Polygon blockchain to manage proxy infrastructure, DeadLock demonstrates how public, legitimate platforms can be repurposed into resilient command-and-control mechanisms without triggering traditional security alarms.

Background: A Low-Noise Ransomware Operation

DeadLock ransomware first appeared in July 2025 and has largely avoided public attention since its emergence. Unlike major ransomware brands, it does not affiliate with known RaaS ecosystems and does not operate a public data leak site. Victim volume appears limited, yet researchers emphasize that DeadLock’s value lies not in scale, but in technique. Its infrastructure choices suggest careful planning, an interest in operational security, and a willingness to experiment with unconventional tooling.

Summary of the Original Findings

Group-IB researchers recently identified a novel DeadLock ransomware variant that replaces traditional hard-coded command servers with blockchain-based proxy management. Instead of embedding static IP addresses or domains, the malware retrieves proxy server URLs directly from a Polygon smart contract. This interaction is performed through read-only blockchain calls, meaning no transactions are generated and no network fees are incurred.

The malware includes an HTML component designed to communicate with victims via the Session encrypted messaging platform. JavaScript embedded in this file queries a specific smart contract deployed on Polygon, extracts the current proxy address, and then uses that proxy to relay encrypted communications between the victim and the attacker’s Session ID. The use of decentralized storage allows the attackers to rotate infrastructure without redeploying malware samples.

Researchers identified multiple smart contracts linked to a single creator wallet, funded shortly before deployment. Transaction history indicates repeated updates to proxy server values, suggesting ongoing infrastructure management. To improve reliability, the malware implements fallback mechanisms using multiple Polygon RPC endpoints, reducing the chance of disruption if a single gateway is blocked.

Beyond blockchain usage, DeadLock employs familiar ransomware tactics. It uses AnyDesk for remote access, PowerShell scripts to disable services, and shadow copy deletion to prevent file recovery. Encrypted files receive a .dlock extension, and ransom notes threaten data sale if payment is not made. Group-IB notes that similar blockchain abuse techniques have appeared in other campaigns, including smart contracts used to store payloads or C2 locations.

What Undercode Say:

Blockchain as Infrastructure, Not Currency

DeadLock reinforces a growing trend where blockchains are used as infrastructure layers rather than financial tools. Smart contracts here function as immutable configuration stores, offering attackers a globally accessible, censorship-resistant control plane.

Why Polygon Makes Strategic Sense

Polygon’s low latency, broad RPC availability, and minimal friction make it an attractive platform for abuse. Read-only contract calls blend into legitimate traffic and are rarely flagged by enterprise security tools.

Read-Only Calls Are the Real Innovation

The absence of transactions is critical. By avoiding on-chain writes during victim communication, DeadLock eliminates obvious forensic signals that defenders might otherwise monitor.

Smart Contracts as Dynamic DNS

This technique effectively turns smart contracts into a decentralized alternative to dynamic DNS services. Proxy rotation can happen instantly without changing malware binaries or network indicators.

Infrastructure Rotation Without Redeployment

Traditional ransomware updates require new payloads or configuration changes. DeadLock decouples malware logic from infrastructure, allowing attackers to update proxies independently.

Session Messaging Adds Another Layer

Using Session further complicates attribution and monitoring. Combined with blockchain-based proxy discovery, the communication chain becomes both encrypted and decentralized.

Fallback RPC Endpoints Improve Resilience

Multiple RPC endpoints ensure the malware can still resolve proxy data even if certain blockchain gateways are blocked by defenders or regulators.

Wallet Attribution Tells a Partial Story

Although multiple contracts link back to a single wallet, attribution remains limited. Wallet funding shortly before deployment suggests operational discipline, but not necessarily identity leakage.

Low Volume Does Not Mean Low Risk

DeadLock’s limited victim count should not reduce concern. Techniques pioneered by small actors are often adopted by larger ransomware groups once proven effective.

A Blueprint for Future Ransomware

The approach is modular, reusable, and scalable. Nothing prevents this model from being integrated into existing high-volume ransomware families.

Detection Becomes Politically Sensitive

Blocking blockchain traffic wholesale is unrealistic. Polygon supports countless legitimate applications, making defensive response more complex and risk-prone.

Traditional IOCs Lose Value

Static indicators like IP addresses and domains become less useful when infrastructure is stored on-chain and resolved dynamically at runtime.

Endpoint Visibility Gains Importance

Defenders may need to focus more on behavioral analysis at the endpoint, where JavaScript blockchain calls and unusual RPC activity can be correlated.

Smart Contract Analysis as Threat Intel

Security teams may need blockchain analysis capabilities, tracking malicious contracts and monitoring suspicious read-only access patterns.

Abuse Without Breaking the Rules

DeadLock does not exploit vulnerabilities in Polygon. It uses the platform exactly as designed, highlighting a broader abuse-of-feature problem.

The Cost Advantage for Attackers

Hosting configuration data on-chain removes the need for paid infrastructure while increasing durability against takedowns.

Legal and Jurisdictional Challenges

There is no central authority to issue takedown requests to. Even identifying who controls a malicious contract is nontrivial.

Lessons from Past Decentralized Abuse

Previous campaigns using Ethereum-based storage or IPFS have shown similar resilience. DeadLock builds on these lessons with more refinement.

A Signal of Maturing Threat Tradecraft

This is not experimental malware. The integration is clean, purposeful, and operationally sound.

Defenders Must Think Like Engineers

Security strategies must evolve beyond blacklist thinking and toward understanding how legitimate systems can be repurposed.

Expect Copycat Implementations

Once public research documents this technique, imitation is inevitable. The barrier to entry is relatively low.

Tooling Will Catch Up—Eventually

Blockchain monitoring for malware will improve, but attackers will enjoy a temporary asymmetry.

The Quiet Phase Is the Most Dangerous

Low-profile operations often precede wider adoption. DeadLock may represent an early warning rather than an isolated anomaly.

Fact Checker Results

✅ DeadLock ransomware has been observed using Polygon smart contracts for proxy management.
✅ Read-only blockchain calls are accurately described as fee-free and transactionless.
❌ No public evidence currently confirms large-scale victim impact beyond reported cases.

Prediction

🔮 Blockchain-based C2 techniques will become more common in ransomware campaigns as defenders harden traditional infrastructure.
🔮 Polygon and similar networks will face increasing scrutiny from security researchers and regulators.
🔮 Future ransomware families will integrate decentralized components by default rather than as experimental features.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: www.infosecurity-magazine.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon