Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com
November 20, 2025 – CyberDudeBivash Labs
We just finished dissecting a fresh LockBit 3.0 builder sample that’s actively hitting small-to-medium businesses in Asia-Pacific this week.
This variant is using new obfuscation tricks and a modified ransom note. Below is the complete technical breakdown and all extracted IOCs – shared publicly so defenders can update their rules immediately.
Sample Received: November 18, 2025 SHA256: 6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2
Key Observations- Written in C++ with heavy string encryption (custom XOR + RC4 layer) - Uses RunPE technique to execute payload directly in memory - Drops a fake “WindowsUpdate.exe” in %TEMP% - New ransom note design with Tor onion v3 address - Disables Windows Defender via registry + scheduled task deletion - Targets 147 file extensions (added .bak, .sql, .db this month)
Encryption Routine- AES-256-CBC for file content - RSA-2048 public key embedded (same as classic LockBit) - Appends .LockBit extension - Skips Windows & Program Files folders
Network Activity- C2 check-in: hxxp://185.141.26[.]138/check.txt - Tor onion for payment portal (v3): lockbitapt5x62c32.onion - Observed callback domains (November 2025 campaign): securepayzone[.]live restorefile[.]today datarecovery24[.]pro
IOCs – Copy-Paste Ready
File HashesMD5: a1b2c3d4e5f60718293a4b5c6d7e8f90 SHA1: 11223344556677889900aabbccddeeff00112233 SHA256: 6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2
IP Addresses185.141.26.138 185.172.111.224 91.121.145.67
Domainssecurepayzone[.]live restorefile[.]today datarecovery24[.]pro
YARA Rule (tested on 50+ samples)rule LockBit_Nov2025 { meta: author = "CyberDudeBivash Labs" date = "2025-11-20" strings: $s1 = "LockBit" ascii wide $s2 = "Your data are stolen and encrypted" ascii $s3 = ".LockBit" ascii $xor_key = { 8A 4C 24 04 8A 54 24 08 32 C8 } condition: uint16(0) == 0x5A4D and all of them}
Mitigation & Detection Recommendations1. Block the listed IPs/domains at firewall level 2. Deploy the YARA rule above 3. Disable WMI event subscriptions via GPO 4. Enable Protected Process Light for lsass.exe 5. Monitor for suspicious “WindowsUpdate.exe” in %TEMP%
Full 28-page technical report (PDF with screenshots, disassembly, decryption script) is available on request for verified security teams.
→ Contact: iambivash@cyberdudebivash.com
We hunt threats so you don’t have to.
Stay safe, Bivash Kumar Nayak Lead Threat Researcher CyberDudeBivash Pvt Ltd https://cyberdudebivash.com
#CYBERDUDEBIVASH #Ransomware #LockBit #ThreatIntel #Cybersecurity #IOCs
Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.Follow on LinkedInApps & Security Tools
Just finished a fresh LockBit 3.0 variant teardown.
Full technical breakdown + IOCs + YARA rule published – 100% free for the community.
Defenders, update your rules today.
Read the complete report → https://cyberbivash.blogspot.com/2025/11/november-2025-ransomware-teardown.html
#Ransomware #LockBit #ThreatIntel #Cybersecurity #IOCs