LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak
According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations.
This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.
Krishnan first publicized the findings on December 5, 2025, via X (formerly Twitter), noting the domain’s recent registration and direct ties to LockBit 5.0 activities.
WHOIS records show karma0.xyz registered on April 12, 2025, with an expiration in April 2026, using Cloudflare nameservers (iris.ns.cloudflare.com and tom.ns.cloudflare.com) and Namecheap privacy protection listing Reykjavik, Iceland, as the contact location.
The domain status indicates client transfer prohibited, suggesting efforts to lock down control amid scrutiny.
Scans reveal multiple open ports on 205.185.116.233, including vulnerable remote access, exposing the server to potential disruption.
| Port | Protocol | Component |
|---|---|---|
| 21 | TCP | FTP Server |
| 80 | TCP | Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 G7gGBXkXcAAcgxa.jpg |
| 3389 | TCP | RDP (WINDOWS-401V6QI) |
| 5000 | TCP | HTTP |
| 5985 | TCP | WinRM |
| 47001 | TCP | HTTP |
| 49666 | TCP | File Server |
RDP on port 3389 stands out as a high-risk vector, potentially allowing unauthorized access to the Windows host.
LockBit 5.0, which emerged around September 2025, supports Windows, Linux, and ESXi, features randomized file extensions, geolocation-based evasion (skipping Russian systems), and accelerated encryption via XChaCha20.
This exposure highlights ongoing opsec failures for the group, disrupted multiple times, yet persistent. Defenders should block the IP and domain immediately; researchers can monitor for further leaks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak appeared first on Cyber Security News.
If you're interested in dipping your toes in the world of 3D printing, you can't…
Scream 7's Neve Campbell, Kevin Williamson, and Isabel May sat down with IGN for Fan…
Scrubs is back. The show was canceled in 2010, and Zach Braff, Donald Faison and…
ABILENE, Texas (KTAB/KRBC) - Two juveniles and a teen are accused of shooting and killing…
KTALnews.com (KTAL/KMSS) - A total lunar eclipse will create a "blood moon" early Tuesday morning,…
ABILENE, Texas (KTAB/KRBC) - Two teenagers have been reported missing in Abilene. One was last…
This website uses cookies.