Dissecting LockBit 5.0 Linux: A Deep Dive into Offline-Capable Ransomware

LockBit 5.0 Linux encrypts files with zero network activity, uses ChaCha20 with Curve25519 key exchanges, and actively evades strace-based monitoring. This post documents the full analysis pipeline: eBPF tracing, static RE with Ghidra, and triple-confirmed network behavior analysis.

April 23, 2026 · JM00NJ

AI Firewalls Are a Lie: Why Real Security Lives at the Kernel Level

A technical analysis of why deterministic security problems cannot be solved with probabilistic AI solutions, and why container/RBAC approaches provide stronger guarantees.

April 21, 2026 · JM00NJ

Timed Noise: LCG-Based Jitter in x64 Assembly

Fixed-interval sleeps make system behavior predictable. Break that pattern with LCG-based jitter — combine rdtsc entropy with LCG scrambling and deliver randomized delays via nanosleep.

April 20, 2026 · JM00NJ

Blinding AI Scanners with CMOV: Polymorphic CFG Breakers in Assembly

Static analysis tools like Ghidra and AI-driven EDRs rely on branching instructions to map malicious behavior. Discover how replacing JMPs with CMOV instructions creates a ‘Flat Graph’ illusion that completely blinds heuristic engines.

April 15, 2026 · JM00NJ

Evasion Techniques in Pure x64 Assembly: SROP and Zero-Copy Injection

Combining SROP with Syscall 311 provides a stealthy way to load shellcode. Learn how to hide syscalls and manipulate context while surviving the debugging hell of unnoticeable opcodes.

April 13, 2026 · JM00NJ