Linux Security

LockBit 5.0 Linux encrypts files with zero network activity, uses ChaCha20 with Curve25519 key exchanges, and actively evades strace-based monitoring. This post documents the full analysis pipeline: eBPF tracing, static RE with Ghidra, and triple-confirmed network behavior analysis.

Exploit the Time-of-Check to Time-of-Use (TOCTOU) window in udisks2. This analysis covers Polkit bypass, XFS image crafting, and Race Condition triggers for LPE.

Stop analysts in their tracks. Learn how to leverage PTRACE_TRACEME and PR_SET_DUMPABLE syscalls to harden your agents against debuggers and memory acquisition.