Overview
- Group-IB’s Jan. 15 analysis details how DeadLock stores rotating proxy endpoints inside Polygon smart contracts to manage post-infection communications.
- The malware queries contract data after encryption to fetch the current proxy, allowing rapid infrastructure changes without redeploying payloads.
- Researchers say the method reads public blockchain data, requires no transactions or gas fees, and does not exploit vulnerabilities in Polygon.
- The operation has remained low profile since July 2025 with few confirmed victims, no affiliate program, and no public data-leak site.
- Recent variants rename files with a “.dlock” extension, display ransom notes, threaten to sell stolen data, and drop an HTML wrapper for Session with JavaScript that retrieves an RPC endpoint list from Polygon.