**Polygon Network Exploited by DeadLock Ransomware to Evade Detection Systems**

Security researchers at Group-IB have uncovered a sophisticated evasion strategy employed by the DeadLock ransomware family, which leverages Polygon smart contracts to dynamically cycle through proxy server addresses and circumvent conventional detection mechanisms. First identified in July 2025, this malware represents a notable evolution in how cybercriminals abuse blockchain infrastructure for operational security purposes.

**Technical Architecture and Code Injection Methods**

DeadLock's attack chain centers on injecting JavaScript routines into HTML files that communicate directly with the Polygon network. Rather than storing malicious instructions on traditional servers, the malware queries blockchain-based RPC gateways to retrieve a list of attacker-controlled proxy endpoints. This approach mirrors the previously documented EtherHiding campaign, illustrating an emerging trend where threat actors weaponize decentralized ledgers to build covert communication channels that traditional blocking strategies struggle to neutralize.

**Escalating Threat Landscape**

The ransomware currently exists in at least three distinct variants, with the most recent iteration incorporating Session—an encrypted communication protocol—directly into its code. This integration enables attackers to establish end-to-end encrypted tunnels with compromised systems, significantly complicating incident response and victim notification processes.

The use of Polygon's infrastructure underscores a critical vulnerability: blockchain networks, designed for transparency and decentralization, are increasingly being repurposed as resilient command-and-control frameworks that evade traditional security controls.