Malware-Analysis

Most people assume the language doesn’t matter — only behavior does. This post breaks down exactly why that assumption is wrong, with empirical evidence and real-world test results.

LockBit 5.0 Linux encrypts files with zero network activity, uses ChaCha20 with Curve25519 key exchanges, and actively evades strace-based monitoring. This post documents the full analysis pipeline: eBPF tracing, static RE with Ghidra, and triple-confirmed network behavior analysis.