Ghidra

Dissecting LockBit 5.0 Linux: A Deep Dive into Offline-Capable Ransomware

LockBit 5.0 Linux encrypts files with zero network activity, uses ChaCha20 with Curve25519 key exchanges, and actively evades strace-based monitoring. This post documents the full analysis pipeline: eBPF tracing, static RE with Ghidra, and triple-confirmed network behavior analysis.

April 23, 2026 · JM00NJ

Blinding AI Scanners with CMOV: Polymorphic CFG Breakers in Assembly

Static analysis tools like Ghidra and AI-driven EDRs rely on branching instructions to map malicious behavior. Discover how replacing JMPs with CMOV instructions creates a ‘Flat Graph’ illusion that completely blinds heuristic engines.

April 15, 2026 · JM00NJ