Summary:
According to a researcher named Rakesh Krishnan on X, LockBit 5.0 has accidently exposed some of their internal infrastructure. Specifically, the IP address 205[.]185[.]116[.]233 and the domain karma0[.]xyz are being used to host the ransomware group’s latest data leak website.

The IP address and domain are hosted under AS53667 (PONYNET, operated by FranTech Solutions), a network frequently abused for illicit activities, the server displays a DDoS protection page branded with “LOCKBITS.5.0,” allegedly confirming its role in the group’s operations.

Security Officer Comments:
The exposure of the LockBit 5.0 core infrastructure represents a significant operational security failure for the ransomware-as-a-service group. Scans of the exposed IP address revealed multiple open ports, including FTP (21), HTTP (80, 5000, 47001), WinRM (5985), and a File Server (49666).

Critically, Remote Desktop Protocol (RDP) on port 3389 was identified as a major vulnerability, presenting a high-risk vector that could allow unauthorized actors to gain access to the underlying Windows host.

This exposure comes as the LockBit 5.0 variant, active since around September 2025, features enhanced capabilities such as supporting Windows, Linux, and ESXi systems, utilizing randomized file extensions, performing geolocation-based evasion, and employing accelerated encryption via XChaCha20.

This latest intelligence provides immediate, actionable data for defenders:

• IP: 205[.]185[.]116[.]233 (Credit@RakeshKrish12)
• Domain: karma0[.]xyz (Credit@RakeshKrish12)
• Country: United States
• ASN: 53667
• RDP: 205[.]185[.]116[.]233:3389
• Name: WINDOWS-401V6QI
• Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30
• Ports: 21, 80, 3389, 5000, 5985, 47001, 49666
• VirusTotal IP: https://www.virustotal.com/gui/ip-address/205.185.116.233
• VirusTotal Domain: https://virustotal.com/gui/domain/karma0.xyz
• VirusTotal MD5: e818a9afd55693d556a47002a7b7ef31

Suggested Corrections:
The immediate and most critical mitigation step is for all organizations and defenders to block the exposed IP address (205[.]185[.]116[.]233) and the domain (karma0[.]xyz) within their network security controls, including firewalls, intrusion prevention systems (IPS), and DNS filters.

Blocking these indicators of compromise (IoCs) prevents any communication or interaction between a protected network and the exposed LockBit infrastructure, effectively disrupting command and control (C2) and exfiltration attempts.

Security teams should leverage this intelligence to proactively monitor their logs for any attempted communication with the exposed IP or domain and ensure all systems are patched to prevent exploitation via the various open ports identified on the LockBit server.

Link(s):
https://cybersecuritynews.com/lockbit-5-0-infrastructure-exposed/