LockBit 5.0, the ransomware group’s latest variant, has suffered a paramount operational security (opsec) breach.
Researchers exposed key infrastructure, including the IP address 205.185.116.233 and the domain karma0.xyz.
This server hosts LockBit’s newest leak site, where victims’ data appears after failed ransom payments.
Security researcher Rakesh Krishnan revealed the details on December 5, 2025, via X (formerly Twitter).
The server runs under AS53667 (PONYNET), operated by FranTech Solutions a network often linked to cybercrime.
A DDoS protection page on the server displays the branding “LOCKBITS.5.0,” confirming its ties to the group’s operations.
This leak comes as LockBit rebounds with stronger malware, targeting more systems despite past takedowns.
WHOIS records for karma0.xyz shows registration on April 12, 2025, with expiration in April 2026.
It uses Cloudflare nameservers (iris.ns.cloudflare.com and tom.ns.cloudflare.com) and Namecheap privacy protection.
The contact lists Reykjavik, Iceland. The domain’s “client transfer prohibited” status suggests efforts to secure control amid growing scrutiny.
Scans of 205.185.116.233 reveal multiple open ports, creating easy entry points for attackers or defenders aiming to disrupt.
RDP on port 3389 poses the most significant risk, allowing remote access to the Windows host. Here’s a breakdown:
| Port | Protocol | Component |
|---|---|---|
| 21 | TCP | FTP Server |
| 80 | TCP | Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 |
| 3389 | TCP | RDP (WINDOWS-401V6QI) |
| 5000 | TCP | HTTP |
| 5985 | TCP | WinRM |
| 47001 | TCP | HTTP |
| 49666 | TCP | File Server |
These flaws could let rivals or law enforcement infiltrate the infrastructure.
LockBit 5.0 launched around September 2025. It hits Windows, Linux, and ESXi systems.
Key upgrades include randomized file extensions to evade detection, geolocation evasion (skipping Russian targets), and fast encryption using the XChaCha20 algorithm.
The group has faced repeated disruptions such as server seizures but has rebuilt quickly.
This leak underscores LockBit’s ongoing opsec issues. Cybersecurity teams should block IP 205.185.116.233 and karma0.xyz now.
Add them to firewalls and threat intel feeds. Researchers: monitor for more leaks and share IoCs. Stay vigilant ransomware like this evolves fast.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…