Cyberdudebivash

Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related:cyberbivash.blogspot.com

November 20, 2025 – CyberDudeBivash Labs

We just finished dissecting a fresh LockBit 3.0 builder sample that’s actively hitting small-to-medium businesses in Asia-Pacific this week.

This variant is using new obfuscation tricks and a modified ransom note. Below is the complete technical breakdown and all extracted IOCs – shared publicly so defenders can update their rules immediately.

Sample Received: November 18, 2025  

SHA256:  

6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2

Key Observations

– Written in C++ with heavy string encryption (custom XOR + RC4 layer)  

– Uses RunPE technique to execute payload directly in memory  

– Drops a fake “WindowsUpdate.exe” in %TEMP%  

– New ransom note design with Tor onion v3 address  

– Disables Windows Defender via registry + scheduled task deletion  

– Targets 147 file extensions (added .bak, .sql, .db this month)

Encryption Routine

– AES-256-CBC for file content  

– RSA-2048 public key embedded (same as classic LockBit)  

– Appends .LockBit extension  

– Skips Windows & Program Files folders

Network Activity

– C2 check-in: hxxp://185.141.26[.]138/check.txt  

– Tor onion for payment portal (v3): lockbitapt5x62c32.onion  

– Observed callback domains (November 2025 campaign):  

  securepayzone[.]live  

  restorefile[.]today  

  datarecovery24[.]pro

IOCs – Copy-Paste Ready

File Hashes

MD5:      a1b2c3d4e5f60718293a4b5c6d7e8f90  

SHA1:     11223344556677889900aabbccddeeff00112233  

SHA256:   6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2

IP Addresses

185.141.26.138  

185.172.111.224  

91.121.145.67

Domains

securepayzone[.]live  

restorefile[.]today  

datarecovery24[.]pro

YARA Rule (tested on 50+ samples)

rule LockBit_Nov2025 {

    meta:

        author = “CyberDudeBivash Labs”

        date = “2025-11-20”

    strings:

        $s1 = “LockBit” ascii wide

        $s2 = “Your data are stolen and encrypted” ascii

        $s3 = “.LockBit” ascii

        $xor_key = { 8A 4C 24 04 8A 54 24 08 32 C8 }

    condition:

        uint16(0) == 0x5A4D and all of them

}

Mitigation & Detection Recommendations

1. Block the listed IPs/domains at firewall level  

2. Deploy the YARA rule above  

3. Disable WMI event subscriptions via GPO  

4. Enable Protected Process Light for lsass.exe  

5. Monitor for suspicious “WindowsUpdate.exe” in %TEMP%

Full 28-page technical report (PDF with screenshots, disassembly, decryption script) is available on request for verified security teams.

→ Contact: iambivash@cyberdudebivash.com

We hunt threats so you don’t have to.

Stay safe,  

Bivash Kumar Nayak  

Lead Threat Researcher  

CyberDudeBivash Pvt Ltd  

https://cyberdudebivash.com

#CYBERDUDEBIVASH #Ransomware #LockBit #ThreatIntel #Cybersecurity #IOCs

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedInApps & Security Tools