Albabat Ransomware Expands to macOS and Linux, Uses GitHub for Components
The Albabat ransomware, also known as White Bat, has evolved to target Windows, macOS, and Linux, retrieving key components from GitHub, according to cybersecurity firm Trend Micro.
Active since 2023, Albabat originally targeted Windows users through fake activation tools and cheat software. However, early signs of its expansion emerged in 2024 when researchers noticed its dropped desktop wallpaper referenced Linux.
Now, Trend Micro reports that newer versions can gather data from Linux and macOS systems, with their configuration files containing specific commands for these platforms.
Albabat retrieves configuration files and operational components from a private GitHub repository registered under the name Bill Borguiann. Created in February 2024 and last updated in February 2025, this repository is accessed using an authentication token.
According to Trend Micro, the ransomware connects via the GitHub REST API using a “User-Agent” string labeled ‘Awesome App’, allowing it to fetch critical behavioral and operational parameters.
Analysis of Albabat's configuration files reveals that it:
Encrypts files while avoiding certain directories
Targets a wide range of file extensions
Terminates processes that could disrupt its operations
Steals sensitive data, storing it in a remote PostgreSQL database
This database helps attackers track infections, monitor ransom payments, and potentially sell stolen data.
Researchers warn that Albabat is still evolving. Some configuration files in its GitHub repository mention version 2.5, while active samples found in real-world infections are running version 2.0.
This rapid development suggests that Albabat’s threat level could increase, making it essential for users and organizations to stay vigilant against evolving ransomware tactics.
Found this article interesting? Follow us on X(Twitter) and Instagram to read more exclusive content we post.
