DeadLock Ransomware: Smart Contracts for Malicious Purposes

    Wednesday, January 21, 2026 In: Threat Research Print

    Date: 01/21/2026

    Severity: High

    Summary

    DeadLock is a low-profile ransomware discovered in July 2025 that stands out for operating without known affiliates or a data leak site. Despite limited victim visibility, the group employs an unusual technique by abusing Polygon smart contracts to rotate or distribute proxy server addresses, enabling stealthy and decentralized infrastructure management. The campaign also relies heavily on AnyDesk for remote access. This approach aligns with a growing trend of threat actors misusing blockchain smart contracts for malicious purposes, signaling an emerging and effective tactic for evasion and resilience.

    Indicators of Compromise (IOC) List

    URLs/Domain

    http://138.226.236.51/prrq.php

    http://94.74.164.207/prrq.php

    https://94.74.164.207/prrq.php

    https://biggoalsports.co.za/minif.php

    https://nmsneustadtl.ac.at/xml.php

    https://envisionreg.com/wp-activate.php

    IP Address

    138.226.236.51

    94.74.164.207

    Hash

    3cd5703d285ed2753434f14f8da933010ecfdc1e5009d0e438188aaf85501612

    c9cc95ff8f2998229394dfd31c2bd6b723e826a3ca5e008d2b5be19ba419ae2c

    3c1b9df801b9abbb3684670822f367b5b8cda566b749f457821b6481606995b3

    be1037fac396cf54fb9e25c48e5b0039b3911bb8426cbf52c9433ba06c0685ce

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://biggoalsports.co.za/minif.php" or url like "https://biggoalsports.co.za/minif.php" or siteurl like "https://biggoalsports.co.za/minif.php" or domainname like "http://138.226.236.51/prrq.php" or url like "http://138.226.236.51/prrq.php" or siteurl like "http://138.226.236.51/prrq.php" or domainname like "https://94.74.164.207/prrq.php" or url like "https://94.74.164.207/prrq.php" or siteurl like "https://94.74.164.207/prrq.php" or domainname like "https://envisionreg.com/wp-activate.php" or url like "https://envisionreg.com/wp-activate.php" or siteurl like "https://envisionreg.com/wp-activate.php" or domainname like "https://nmsneustadtl.ac.at/xml.php" or url like "https://nmsneustadtl.ac.at/xml.php" or siteurl like "https://nmsneustadtl.ac.at/xml.php" or domainname like "http://94.74.164.207/prrq.php" or url like "http://94.74.164.207/prrq.php" or siteurl like "http://94.74.164.207/prrq.php"

    Detection Query 2 :

    dstipaddress IN ("138.226.236.51","94.74.164.207") or srcipaddress IN ("138.226.236.51","94.74.164.207")

    Detection Query 3 :

    sha256hash IN ("3c1b9df801b9abbb3684670822f367b5b8cda566b749f457821b6481606995b3","3cd5703d285ed2753434f14f8da933010ecfdc1e5009d0e438188aaf85501612","be1037fac396cf54fb9e25c48e5b0039b3911bb8426cbf52c9433ba06c0685ce","c9cc95ff8f2998229394dfd31c2bd6b723e826a3ca5e008d2b5be19ba419ae2c")

    Reference:

    https://www.group-ib.com/blog/deadlock-ransomware-polygon-smart-contracts/


    Tags

    MalwareThreat ActorRansomwareDeadLockBlockchain

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.