In the high‑stakes world of cybercrime, a single misstep can expose an entire operation. That is exactly what happened when a security researcher discovered that LockBit’s latest ransomware iteration, LockBit 5.0, was running a command‑and‑control (C2) server on an IP that was no longer hidden behind layers of obfuscation.
Unveiling the Leaked Infrastructure
IP and Domain Exposure
On December 5, 2025, a researcher named Rakesh Krishnan revealed that the IP address 205.185.116.233 and the domain karma0.xyz were actively hosting a LockBit C2 site. The disclosure was accompanied by a tweet that read, “Exposing #LOCKBIT 5.0 Server: IP & DOMAIN … IP: 205.185.116.233 … Domain: karma0.xyz.” The tweet also highlighted the use of a Smokeloader payload and included an MD5 hash, offering a fingerprint that defenders can hunt for.
Hosted on a Known Abuse Network
The server sat behind AS53667, commonly called PONYNET, a network operated by FranTech Solutions that has a long history of being abused for illicit activity. That alone should have been a red flag, but the most visible clue was a DDoS protection page that proudly displayed the branding “LOCKBITS.5.0.” Such blatant signage is a classic indicator of compromise and gives defenders a clear marker to block.
Domain Registration and Technical Setup
WHOIS data shows that karma0.xyz was registered on April 12, 2025, with a one‑year expiry in April 2026. The domain uses Cloudflare nameservers—iris.ns.cloudflare.com and tom.ns.cloudflare.com—paired with Namecheap’s privacy protection, and lists Reykjavik, Iceland, as the contact location. After the leak became public, the domain’s status changed to “client transfer prohibited,” suggesting the group tried to lock down administrative control. However, that was a reactive move, not a preventative one.
Open Ports and Vulnerability Landscape
A scan of 205.185.116.233 revealed a laundry list of open ports: FTP on 21, HTTP on 80 and 5000, Remote Desktop Protocol on 3389, Windows Remote Management on 5985, and file sharing on 49666. The Apache web server at 80 runs version 2.4.58 on Windows, coupled with OpenSSL 3.1.3 and PHP 8.0.30. The most alarming exposure is RDP on port 3389; if an attacker can gain a foothold here, they can potentially pivot across the entire network.
LockBit 5.0: A Technological Leap Forward
Multi‑Platform Reach
LockBit 5.0 was first seen in September 2025 and represents a significant upgrade in sophistication. Unlike its predecessors, it can target Windows, Linux, and even ESXi environments. This broad compatibility means the threat actors can strike a wider range of victims, from corporate data centers to cloud workloads.
Stealth and Speed
The malware randomizes file extensions, complicating detection and recovery. It also includes geolocation‑based evasion, deliberately bypassing systems identified as Russian. For encryption, it switched to XChaCha20, a faster and more secure cipher that reduces the time an attacker’s victims spend locked out of their data.
Operational Security Still in the Dustbin
Despite law enforcement pressure and public scrutiny, LockBit has continued to evolve its ransomware‑as‑a‑service model. The exposure of this infrastructure demonstrates the group’s ongoing operational security lapses. It is a reminder that even the most advanced threat actors can make avoidable mistakes that provide a window for defenders.
What Defenders Should Do Now
Immediate Blocking Actions
Organizations should block the IP address 205.185.116.233 and the domain karma0.xyz across all network perimeters. This includes firewall rules, DNS filtering systems, and any proxy or reverse‑proxy configurations. The goal is to cut off the C2 channel as quickly as possible.
Extend the Hunt
Because LockBit is known for using complementary domains and IP addresses, security teams should monitor for new infrastructure that surfaces as researchers dig deeper. Look for similar branding, identical file hashes, or the same Smokes loader signatures. Treat the leak as a breadcrumb trail that could lead to additional assets.
Leverage Threat Intelligence Sharing
This incident underscores the value of sharing indicators of compromise across the security community. By feeding new IPs, domains, and hashes into threat intel platforms, defenders can stay one step ahead of the next iteration of LockBit or any other evolving ransomware family.
Looking Ahead: A New Normal in Ransomware Defense
The LockBit leak is not just a headline; it is a data point that will shape how we approach ransomware defenses in the months to come. By turning a single operational failure into a learning opportunity, security teams can refine their detection, response, and mitigation strategies. And as threat actors become more sophisticated, the importance of proactive intelligence, rapid blocking, and continuous monitoring will only grow. The future of cyber defense will hinge on how quickly we can translate these leaks into actionable countermeasures, turning the tables on the very actors who rely on secrecy to thrive.
