EBPF

LockBit 5.0 Linux encrypts files with zero network activity, uses ChaCha20 with Curve25519 key exchanges, and actively evades strace-based monitoring. This post documents the full analysis pipeline: eBPF tracing, static RE with Ghidra, and triple-confirmed network behavior analysis.

Traditional kernel modules are risky. eBPF provides a safe, high-speed ‘superpower’ for the Linux Kernel. Learn how XDP and kprobes revolutionize networking and tracing.