LockBit 5.0 key infrastructure exposed, revealing the IP address 205.185.116.233, and the domain karma0.xyz is hosting the ransomware group’s latest leak site.
According to researcher Rakesh Krishnan, hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” confirming its role in the group’s operations.
This operational security lapse arrives amid LockBit’s resurgence with enhanced malware capabilities.
Krishnan first publicized the findings on December 5, 2025, via X (formerly Twitter), noting the domain’s recent registration and direct ties to LockBit 5.0 activities.
WHOIS records show karma0.xyz registered on April 12, 2025, with an expiration in April 2026, using Cloudflare nameservers (iris.ns.cloudflare.com and tom.ns.cloudflare.com) and Namecheap privacy protection listing Reykjavik, Iceland, as the contact location.
The domain status indicates client transfer prohibited, suggesting efforts to lock down control amid scrutiny.
Scans reveal multiple open ports on 205.185.116.233, including vulnerable remote access, exposing the server to potential disruption.
| Port | Protocol | Component |
|---|---|---|
| 21 | TCP | FTP Server |
| 80 | TCP | Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 G7gGBXkXcAAcgxa.jpg |
| 3389 | TCP | RDP (WINDOWS-401V6QI) |
| 5000 | TCP | HTTP |
| 5985 | TCP | WinRM |
| 47001 | TCP | HTTP |
| 49666 | TCP | File Server |
RDP on port 3389 stands out as a high-risk vector, potentially allowing unauthorized access to the Windows host.
LockBit 5.0, which emerged around September 2025, supports Windows, Linux, and ESXi, features randomized file extensions, geolocation-based evasion (skipping Russian systems), and accelerated encryption via XChaCha20.
This exposure highlights ongoing opsec failures for the group, disrupted multiple times, yet persistent. Defenders should block the IP and domain immediately; researchers can monitor for further leaks.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
