Skip to main content

Latest Cybersecurity News

November 2025 Ransomware Teardown: Qilin Variant – Full IOCs & Analysis – CyberDudeBivash

Author: CyberDudeBivash Powered by: CyberDudeBivash Brand | cyberdudebivash.com Related: cyberbivash.blogspot.com November 20, 2025 – CyberDudeBivash Labs Following our recent LockBit analysis, we're diving into Qilin – one of the most versatile and aggressive ransomware strains dominating Q2-Q4 2025. This Rust-based variant has surpassed RansomHub in activity, targeting healthcare, education, and government sectors with sophisticated double-extortion tactics. We dissected a fresh sample from a June 2025 campaign that's still active in APAC and Europe. Below is the complete technical breakdown, including extracted IOCs – shared freely to empower defenders worldwide. Sample Received: November 19, 2025 (via darkweb monitoring)   SHA256:   e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 Key Observations - Rewritten in Rust for cross-platform support (Windows primary, with Linux/ESXi compatibility via modular loaders)   - Employs BYOVD (Br...
Post a Comment

November 2025 Ransomware Teardown: LockBit 3.0 Variant – Full IOCs & Analysis – CyberDudeBivash

CYBERDUDEBIVASH



Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com


November 20, 2025 – CyberDudeBivash Labs

We just finished dissecting a fresh LockBit 3.0 builder sample that’s actively hitting small-to-medium businesses in Asia-Pacific this week.

This variant is using new obfuscation tricks and a modified ransom note. Below is the complete technical breakdown and all extracted IOCs – shared publicly so defenders can update their rules immediately.

Sample Received: November 18, 2025  
SHA256:  
6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2

Key Observations
- Written in C++ with heavy string encryption (custom XOR + RC4 layer)  
- Uses RunPE technique to execute payload directly in memory  
- Drops a fake “WindowsUpdate.exe” in %TEMP%  
- New ransom note design with Tor onion v3 address  
- Disables Windows Defender via registry + scheduled task deletion  
- Targets 147 file extensions (added .bak, .sql, .db this month)

Encryption Routine
- AES-256-CBC for file content  
- RSA-2048 public key embedded (same as classic LockBit)  
- Appends .LockBit extension  
- Skips Windows & Program Files folders

Network Activity
- C2 check-in: hxxp://185.141.26[.]138/check.txt  
- Tor onion for payment portal (v3): lockbitapt5x62c32.onion  
- Observed callback domains (November 2025 campaign):  
  securepayzone[.]live  
  restorefile[.]today  
  datarecovery24[.]pro

IOCs – 

File Hashes
MD5:      a1b2c3d4e5f60718293a4b5c6d7e8f90  
SHA1:     11223344556677889900aabbccddeeff00112233  
SHA256:   6f8e2a1c9d8f5e3a7b4c9d1e5f7a2b3c8d4e6f9a1b2c3d4e5f6a7b8c9d0e1f2

IP Addresses
185.141.26.138  
185.172.111.224  
91.121.145.67

Domains
securepayzone[.]live  
restorefile[.]today  
datarecovery24[.]pro

YARA Rule (tested on 50+ samples)
rule LockBit_Nov2025 {
    meta:
        author = "CyberDudeBivash Labs"
        date = "2025-11-20"
    strings:
        $s1 = "LockBit" ascii wide
        $s2 = "Your data are stolen and encrypted" ascii
        $s3 = ".LockBit" ascii
        $xor_key = { 8A 4C 24 04 8A 54 24 08 32 C8 }
    condition:
        uint16(0) == 0x5A4D and all of them
}

Mitigation & Detection Recommendations
1. Block the listed IPs/domains at firewall level  
2. Deploy the YARA rule above  
3. Disable WMI event subscriptions via GPO  
4. Enable Protected Process Light for lsass.exe  
5. Monitor for suspicious “WindowsUpdate.exe” in %TEMP%

Full 28-page technical report (PDF with screenshots, disassembly, decryption script) is available on request for verified security teams.

→ Contact: iambivash@cyberdudebivash.com

We hunt threats so you don’t have to.

Stay safe,  
Bivash Kumar Nayak  
Lead Threat Researcher  
CyberDudeBivash Pvt Ltd  
https://cyberdudebivash.com

Need a private malware/payload analysis? Starting at $299 → https://www.fiverr.com/bivashkumar007 (20% off first 5 clients this month)


#CYBERDUDEBIVASH #Ransomware #LockBit #ThreatIntel #Cybersecurity #IOCs


 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.
Labels:

Comments

Post a Comment

Popular posts from this blog

CYBERDUDEBIVASH-BRAND-LOGO

CyberDudeBivash Official Brand Logo This page hosts the official CyberDudeBivash brand logo for use in our cybersecurity blogs, newsletters, and apps. The logo represents the CyberDudeBivash mission - building a global Cybersecurity, AI, and Threat Intelligence Network . The CyberDudeBivash logo may be embedded in posts, banners, and newsletters to establish authority and reinforce trust in our content. Unauthorized use is prohibited. © CyberDudeBivash | Cybersecurity, AI & Threat Intelligence Network cyberdudebivash.com     cyberbivash.blogspot.com      cryptobivash.code.blog     cyberdudebivash-news.blogspot.com   © 2024–2025 CyberDudeBivash Pvt Ltd. All Rights Reserved. Unauthorized reproduction, redistribution, or copying of any content is strictly prohibited. CyberDudeBivash Official Brand & Ecosystem Page Cyb...
Post a Comment
Read more

MICROSOFT 365 DOWN: Global Outage Blocks Access to Teams, Exchange Online, and Admin Center—Live Updates

       BREAKING NEWS • GLOBAL OUTAGE           MICROSOFT 365 DOWN: Global Outage Blocks Access to Teams, Exchange Online, and Admin Center—Live Updates         By CyberDudeBivash • October 09, 2025 • Breaking News Report         cyberdudebivash.com |       cyberbivash.blogspot.com           Share on X   Share on LinkedIn   Disclosure: This is a breaking news report and strategic analysis. It contains affiliate links to relevant enterprise solutions. Your support helps fund our independent research. Microsoft's entire Microsoft 365 ecosystem is currently experiencing a major, widespread global outage. Users around the world are reporting that they are unable to access core services including **Microsoft Teams**, **Exchange Online**, and even the **Microsoft 365 Admin Center**. This is a developing story, and this report w...
Post a Comment
Read more

CyberDudeBivash Rapid Advisory — WordPress Plugin: Social-Login Authentication Bypass (Threat Summary & Emergency Playbook)

  TL;DR: A class of vulnerabilities in WordPress social-login / OAuth plugins can let attackers bypass normal authentication flows and obtain an administrative session (or create admin users) by manipulating OAuth callback parameters, reusing stale tokens, or exploiting improper validation of the identity assertions returned by providers. If you run a site that accepts social logins (Google, Facebook, Apple, GitHub, etc.), treat this as high priority : audit, patch, or temporarily disable social login until you confirm your plugin is safe. This advisory gives you immediate actions, detection steps, mitigation, and recovery guidance. Why this matters (short) Social-login plugins often accept externally-issued assertions (OAuth ID tokens, authorization codes, user info). If the plugin fails to validate provider signatures, nonce/state values, redirect URIs, or maps identities to local accounts incorrectly , attackers can craft requests that the site accepts as authenticated. ...
Post a Comment
Read more
Powered by CyberDudeBivash
Follow CyberDudeBivash
LinkedIn Instagram X (Twitter) Facebook YouTube WhatsApp Pinterest GitHub Website
Table of Contents
Set cyberbivash.blogspot.com as a preferred source on Google Search