Overview
- Group-IB's Jan. 15 report details malware that queries Polygon smart contracts listing current proxy endpoints to reach infected machines.
- Storing configuration on a public blockchain lets operators swap proxies without updating the malware, leaving no single server to seize.
- The malware only reads publicly available data on-chain, requires no transactions or gas, and does not exploit vulnerabilities in Polygon.
- The operation remains low profile with few confirmed victims, no affiliate program, and no public leak site since first being observed in July 2025.
- Researchers have identified at least three variants: infections append the ".dlock" extension, display ransom notes, and drop an HTML wrapper for the Session app, with newer builds warning that stolen data may be sold.