LockBit 5.0 and Magento “SessionReaper”: DFIR notes on two active intrusion patterns

Check Point’s October 27, 2025 weekly report flags two things we should treat as priority hunts: a fresh LockBit 5.0 build with cross-platform encryptors and faster runtime, and active abuse of Magento’s SessionReaper (CVE-2025-54236) to hijack sessions and drop PHP webshells via the REST API. Their write-up aligns with Trend Micro’s technical analysis of the LockBit 5.0 binaries and Adobe/Sansec guidance on SessionReaper exploitation in the wild. (Check Point report; Check Point blog on the comeback; Trend Micro analysis; Adobe APSB25-88; Sansec). (research.checkpoint.com)

Intrusion Flow

• LockBit 5.0

  • Post-Cronos resurgence with confirmed victims in September 2025, including Windows, Linux, and ESXi targets; new variant “ChuongDong” observed in the wild. (Check Point). (blog.checkpoint.com)
  • Technical changes relevant to forensics: DLL reflection loading on Windows, ETW patching, service-kill routines, randomized 16-char file extensions, event log clearing via EvtClearLog, and geo/language checks to avoid RU systems. Dedicated Linux and ESXi encryptors ship with aligned CLI/help and path-targeting options. (Trend Micro). (trendmicro.com)
  • Expect familiar affiliate tradecraft for initial access and lateral movement (valid accounts, public-facing device exploits, RDP/VPN pivots, PsExec, data theft before encryption). See CISA’s LockBit advisories and Citrix Bleed exploitation patterns for how affiliates operate. (CISA AA23-325A; CISA LockBit overview). (cisa.gov)
  • Context: Operation Cronos disrupted LockBit infrastructure in Feb 2024, but core operators and affiliates have re-organized. (Reuters). (reuters.com)

• Magento SessionReaper (CVE-2025-54236)

  • Critical improper input validation in the REST API enabling session hijack; Adobe issued an emergency bulletin and hotfix on September 9, 2025. (Adobe APSB25-88). (helpx.adobe.com)
  • Developer change tightened ServiceInputProcessor constructor parameter validation to block malicious payloads; see Adobe’s guidance mapping to CVE-2025-54236. (Adobe KCS guide). (experienceleague.adobe.com)
  • Sansec reports mass exploitation roughly six weeks after disclosure, with 250+ attempts in 24h and ongoing webshell drops, often via /customer/address_file/upload. A large share of stores remained unpatched at first observation. (Sansec analysis; Sansec exploitation update; The Hacker News). (sansec.io)
  • File-based session storage is the default in many Magento deployments, making session abuse and subsequent RCE more feasible under certain conditions. (Adobe docs; Sansec). (experienceleague.adobe.com)

Here’s why this matters for forensics

• LockBit 5.0 shrinks your response window. Its anti-analysis, ETW patch, and log clearing behaviors mean less native telemetry if you arrive late. Expect missing Windows log channels and packed loaders that defeat naive static triage. (Trend Micro). (trendmicro.com)
• SessionReaper isn’t just account takeover. In default configs it enables webshell uploads and can pivot to full server compromise and lateral movement off the e-commerce edge. (Sansec; The Hacker News). (sansec.io)

Key Artifacts to Pull

• LockBit 5.0 (Windows)

  • Timeline the encryptor: MFT, USN, Prefetch, Amcache, SRUM, and EDR process lineage for the encryptor and any LOLBINs used for discovery/lateral movement. Look for creation of ReadMeForDecrypt.txt and randomized 16-hex extensions. (Trend Micro). (trendmicro.com)
  • Event logs: check for Security 1102 (audit log cleared) and other channel clears correlating with EvtClearLog API usage. (Microsoft). (learn.microsoft.com)
  • Memory: scan for tampering of EtwEventWrite and reflection-loaded payloads; capture full RAM if feasible before reboot. (Trend Micro). (trendmicro.com)

• LockBit 5.0 (Linux)

  • Bash history, /var/log/auth.log, systemd journals, and paths targeted by the encryptor per CLI options. Confirm ransom notes and randomized extensions match Trend Micro indicators. (Trend Micro). (trendmicro.com)

• LockBit 5.0 (ESXi)

  • ESXi host artifacts: /var/log/hostd.log, /var/log/vmkernel.log, and datastore changes for bulk file renames/encryptions; capture the encryptor binary and help/CLI output if still present. (Trend Micro). (trendmicro.com)

• Magento SessionReaper

  • Web access logs (Nginx/Apache) for REST calls around exploitation windows; specifically look for /customer/address_file/upload and unusual REST payload sizes or 500/400 bursts preceding webshell activity. (Sansec). (sansec.io)
  • Magento app logs: <magento_root>/var/log/system.log and exception.log. (Adobe docs). (experienceleague.adobe.com)
  • Session stores: check default <magento_root>/var/session or configured session.save_path; enumerate for PHP content inside session files. (Adobe docs). (experienceleague.adobe.com)
  • Webroot and media: pub/media and other upload paths for recent *.php, phpinfo probes, and common webshell names added around first suspicious REST calls. (Sansec). (sansec.io)

Detection Notes

• LockBit 5.0 file/host indicators
  • Randomized 16-character extension and ReadMeForDecrypt.txt note creation:

index=edr OR index=fsmon 
| regex file_name="^[A-Fa-f0-9]{16}$" OR file_name="ReadMeForDecrypt.txt"
| stats count by host, user, file_path, process_name, _time

• Event log clearing (Security 1102) around the first encryption event:

index=wineventlog sourcetype=WinEventLog:Security EventCode=1102
| bin _time span=5m
| stats count min(_time) as first_seen max(_time) as last_seen by host, user

• Hunt for ETW tampering and reflection loading in EDR (API patch on EtwEventWrite; unsigned module mapping into ransomware process). (Trend Micro; Microsoft 1102 reference). (trendmicro.com)

• Magento SessionReaper HTTP/FS indicators

  • REST abuse and webshell writes:

index=web sourcetype=access* 
| search uri_path="/customer/address_file/upload" OR uri_path="/rest/*"
| stats count, values(status) as http_status by src_ip, uri_path, http_method, user_agent, _time

# quick triage on a host (adjust root):
find /var/www/html/pub/media -type f -name "*.php" -mtime -7 -ls
find <magento_root>/var/session -type f -mtime -7 -exec file {} \; | grep -i php

• Look for phpinfo probes immediately after REST bursts and before shell drops. (Sansec). (sansec.io)

Response Guidance

• LockBit 5.0

  • Isolate impacted systems; preserve volatile memory before reboot to catch ETW patches/DLL reflection artifacts. Kill lateral movement channels (RDP/VPN) and disable discovered service accounts. Reference CISA LockBit guidance for containment/eradication steps aligned to affiliate TTPs. (CISA AA23-325A). (cisa.gov)
  • Prioritize hypervisor triage if ESXi is hit; one host can mean dozens of encrypted VMs. Validate backups and snapshot chains offline before attempting restore. (Trend Micro). (trendmicro.com)

• Magento SessionReaper

  • Patch or apply the Adobe hotfix immediately and validate with functional tests; Cloud customers should confirm WAF rules are active. (Adobe APSB25-88). (helpx.adobe.com)
  • Audit and clean: remove uploaded shells, rotate all Magento/admin credentials, invalidate customer sessions, rotate the Magento crypt key if session compromise is suspected, and sweep the codebase for persistence. (Sansec). (sansec.io)
  • Review REST integrations for constructor parameter injection assumptions; update extensions per Adobe’s ServiceInputProcessor changes. (Adobe KCS guide). (experienceleague.adobe.com)

Takeaways

• Ship hunts for LockBit 5.0’s note/extension pattern and ETW/log clear side-effects today; be ready to pivot to ESXi if servers disappear from monitoring. (Trend Micro; Microsoft 1102). (trendmicro.com)
• If you run Magento, treat SessionReaper as an incident until proven otherwise: patch, sweep for shells, rotate secrets, and review REST-facing customizations against Adobe’s updated validation model. (Adobe APSB25-88; Sansec). (helpx.adobe.com)