Newly identified versions of the Albabat ransomware are configured to target all major desktop platforms and to retrieve components from GitHub, cybersecurity firm Trend Micro reports.
Active since 2023 and also known as White Bat, Albabat is known for targeting Windows systems through fake activation tools and cheat software, but the first signs of potential expansion to other platforms were seen in early 2024.
In January last year, after noticing that the desktop wallpaper that Albabat was dropping on infected systems was mentioning Linux, Fortinet warned that the Rust-written ransomware could be cross-compiled to target more operating systems.
Now, Trend Micro reports that the most recent in-the-wild samples of the ransomware can harvest information from Linux and macOS systems, and that their configuration files include commands for these platforms.
Albabat retrieves its configuration files and other components from a private GitHub repository accessible through an authentication token, which is registered under the name Bill Borguiann. The repository was created in February 2024 and last updated in February 2025.
“These new versions retrieve their configuration data through the GitHub REST API using a ‘User-Agent’ string labelled ‘Awesome App’. The configuration provides key details about the ransomware’s behavior and operational parameters,” Trend Micro explains.
The configuration files reveal that the ransomware ignores dozens of folders when encrypting files, that it targets a broad range of file extensions, and that it attempts to kill numerous processes that might interfere with its operations.
In addition to encrypting the victim’s files, Albabat steals data from the machine, storing the collected information in a remote PostgreSQL database.
“The ransomware uses a database to track infections and payments. This collected information helps attackers to make ransom demands, monitor infections, and sell victims’ data,” Trend Micro explains.
The cybersecurity firm warns that the ransomware is under active development, with some configuration files in its GitHub repository mentioning version 2.5, while the samples found in the wild being version 2.0.
Related: Ransomware Group Claims Attack on Virginia Attorney General’s Office
Related: Ransomware Group Claims Attacks on Ascom, Jaguar Land Rover
Related: LockBit Ransomware Developer Extradited to US
Related: Recent Fortinet Vulnerabilities Exploited in ‘SuperBlack’ Ransomware Attacks
