{"id":9010,"date":"2025-12-07T10:03:33","date_gmt":"2025-12-07T10:03:33","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/07\/lockbit-5-0-infrastructure-exposed-in-new-server-ip-and-domain-leak\/"},"modified":"2025-12-07T10:03:33","modified_gmt":"2025-12-07T10:03:33","slug":"lockbit-5-0-infrastructure-exposed-in-new-server-ip-and-domain-leak","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/07\/lockbit-5-0-infrastructure-exposed-in-new-server-ip-and-domain-leak\/","title":{"rendered":"LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak"},"content":{"rendered":"<p>    LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><a href=\"https:\/\/cybersecuritynews.com\/lockbit-5-0-actively-attacking\/\" target=\"_blank\" rel=\"noreferrer noopener\">LockBit 5.0<\/a> key infrastructure exposed, revealing the IP address 205.185.116.233, and the domain karma0.xyz is hosting the ransomware group\u2019s latest leak site. <\/p>\n<p>According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with \u201cLOCKBITS.5.0,\u201d confirming its role in the group\u2019s operations.<\/p>\n<p>This operational security lapse arrives amid LockBit\u2019s resurgence with enhanced malware capabilities.\u200b<\/p>\n<p>Krishnan first publicized the findings on December 5, 2025, via X (formerly Twitter), noting the domain\u2019s recent registration and direct ties to LockBit 5.0 activities.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f6a8.png?ssl=1\" alt=\"\ud83d\udea8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">Exposing <a href=\"https:\/\/twitter.com\/hashtag\/LOCKBIT?src=hash&amp;ref_src=twsrc%5Etfw\">#LOCKBIT<\/a> 5.0 Server: IP &amp; DOMAIN<\/p>\n<p>IP: 205.185.116.233 <img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f1fa-1f1f8.png?ssl=1\" alt=\"\ud83c\uddfa\ud83c\uddf8\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\"><a href=\"https:\/\/twitter.com\/hashtag\/AS53667?src=hash&amp;ref_src=twsrc%5Etfw\">#AS53667<\/a><\/p>\n<p>Domain: karma0[.]xyz<br \/>Reg: 2 November 2025<\/p>\n<p><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/s.w.org\/images\/core\/emoji\/17.0.2\/72x72\/1f4a1.png?ssl=1\" alt=\"\ud83d\udca1\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\">LockBit Group uses <a href=\"https:\/\/twitter.com\/hashtag\/Smokeloader?src=hash&amp;ref_src=twsrc%5Etfw\">#Smokeloader<\/a> in their attacks<br \/>MD5: e818a9afd55693d556a47002a7b7ef31<a href=\"https:\/\/twitter.com\/hashtag\/Lockbit5?src=hash&amp;ref_src=twsrc%5Etfw\">#Lockbit5<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\">#Ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Security?src=hash&amp;ref_src=twsrc%5Etfw\">#Security<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Intelligence?src=hash&amp;ref_src=twsrc%5Etfw\">#Intelligence<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/OSINT?src=hash&amp;ref_src=twsrc%5Etfw\">#OSINT<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Databreach?src=hash&amp;ref_src=twsrc%5Etfw\">#Databreach<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/TOR?src=hash&amp;ref_src=twsrc%5Etfw\">#TOR<\/a> <a href=\"https:\/\/t.co\/U1AvMoCuck\">pic.twitter.com\/U1AvMoCuck<\/a><\/p>\n<p>\u2014 RAKESH KRISHNAN (@RakeshKrish12) <a href=\"https:\/\/twitter.com\/RakeshKrish12\/status\/1997122573512200668?ref_src=twsrc%5Etfw\">December 6, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/div>\n<\/figure>\n<p>WHOIS records show karma0.xyz registered on April 12, 2025, with an expiration in April 2026, using Cloudflare nameservers (iris.ns.cloudflare.com and tom.ns.cloudflare.com) and Namecheap privacy protection listing Reykjavik, Iceland, as the contact location.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjqEgbS0r1-ZZKdzTHLjWrDOm05gdVidGzQdsNTYOH1sOOryCtluDtrxYRvwfGir9UoG4UEd6z7NvKChni-YX35zgxg3xVpuRSp81-cFM9RaBKKLAVFYbiFgAFuEf0Pzw9WqDsGgOSUzYlNwHjfEdt51U8HjY0YYD5m60FVlYp0ao6lAOmIPEjQraqz9QKh\/s16000\/lock%2520domain.webp?ssl=1\" alt=\"\"><\/figure>\n<\/div>\n<p>The domain status indicates client transfer prohibited, suggesting efforts to lock down control amid scrutiny.<\/p>\n<p>Scans reveal multiple open ports on 205.185.116.233, including vulnerable remote access, exposing the server to potential disruption.<\/p>\n<figure class=\"wp-block-table\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<th>Port<\/th>\n<th>Protocol<\/th>\n<th>Component<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>21<\/td>\n<td>TCP<\/td>\n<td>FTP Server<\/td>\n<\/tr>\n<tr>\n<td>80<\/td>\n<td>TCP<\/td>\n<td>Apache\/2.4.58 (Win64) OpenSSL\/3.1.3 PHP\/8.0.30 G7gGBXkXcAAcgxa.jpg\u200b<\/td>\n<\/tr>\n<tr>\n<td>3389<\/td>\n<td>TCP<\/td>\n<td>RDP (WINDOWS-401V6QI)<\/td>\n<\/tr>\n<tr>\n<td>5000<\/td>\n<td>TCP<\/td>\n<td>HTTP<\/td>\n<\/tr>\n<tr>\n<td>5985<\/td>\n<td>TCP<\/td>\n<td>WinRM<\/td>\n<\/tr>\n<tr>\n<td>47001<\/td>\n<td>TCP<\/td>\n<td>HTTP<\/td>\n<\/tr>\n<tr>\n<td>49666<\/td>\n<td>TCP<\/td>\n<td>File Server<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>RDP on port 3389 stands out as a high-risk vector, potentially allowing unauthorized access to the Windows host.<\/p>\n<p>LockBit 5.0, which emerged around September 2025, supports <a href=\"https:\/\/cybersecuritynews.com\/lockbit-5-0-actively-attacking\/\" target=\"_blank\" rel=\"noreferrer noopener\">Windows, Linux, and ESXi, features<\/a> randomized file extensions, geolocation-based evasion (skipping Russian systems), and accelerated encryption via XChaCha20.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiwd-2m6ol9kDZso7QDFtBs0IygwiTiQ63fvTcFfQWg_OLoUrY4TAXQZFUFX8G948A4_wOuYHXkATHW3pPrQttEDVaMuUF7JId7ThyphenhyphenVjG19CTKqC1F2087vy2-gz_TYfEakFG0hCU-lCHEyuVU10A0SGEZ_8A5uv5m1NmlS-IRjVBYAKhe8BUd81r-Y34zB\/s16000\/lock%2520server.webp?ssl=1\" alt=\"\"><\/figure>\n<\/div>\n<p>This exposure highlights ongoing opsec failures for the group, disrupted multiple times, yet persistent. Defenders should block the IP and domain immediately; researchers can monitor for further leaks.\u200b<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/lockbit-5-0-infrastructure-exposed\/\">LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/lockbit-5-0-infrastructure-exposed\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>LockBit 5.0 Infrastructure Exposed in New Server, IP, and Domain Leak LockBit 5.0 key infrastructure exposed, revealing the IP address 205.185.116.233, and the domain karma0.xyz is hosting the ransomware group\u2019s latest leak site. According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[701,1636,63],"tags":[130],"class_list":["post-9010","post","type-post","status-publish","format-standard","hentry","category-cyber-attack","category-cyber-attack-news","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9010"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9010"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9010\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9010"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9010"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9010"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}