The notorious Albabat ransomware — also known as White Bat — is expanding its reach beyond Windows, according to new research by cybersecurity firm Trend Micro. The latest versions now target Linux and macOS systems, signaling a major shift in this evolving cyber threat.
Albabat’s Expansion: From Windows to Cross-Platform Attacks
Active since 2023, Albabat ransomware initially gained traction by infecting Windows machines through fake activation tools and cheat software. However, early signs of cross-platform ambitions appeared in 2024. Back in January, Fortinet researchers noticed the ransomware’s dropped wallpaper referenced Linux, hinting at broader targeting capabilities.
Written in Rust—a language known for easy cross-compilation—Albabat has indeed evolved. Trend Micro’s latest findings confirm that recent samples are equipped to harvest data from both Linux and macOS devices, marking a dangerous leap in its capabilities.
Cybercriminals Use GitHub to Fuel Ransomware Operations
What’s raising eyebrows in the cybersecurity community is Albabat ransomware’s abuse of GitHub. The malware fetches its configuration files and essential components directly from a private GitHub repository. Controlled by a user identified as Bill Borguiann, this repository was created in February 2024 and updated as recently as February 2025.
According to Trend Micro, the ransomware pulls data via the GitHub REST API, disguising its activities with a ‘User-Agent’ string named Awesome App. The retrieved configuration files dictate how the malware operates, detailing its encryption behavior and specifying operational commands for Linux and macOS systems.
Sophisticated Tactics: Selective Encryption and Process Termination
Albabat doesn’t encrypt everything it touches. The ransomware’s configuration reveals that it bypasses dozens of folders during the encryption process. At the same time, it aggressively targets a wide range of file extensions and terminates critical processes that might disrupt its operation.
Beyond encrypting files, Albabat also doubles as a data thief. It gathers sensitive information from compromised devices and uploads the stolen data to a remote PostgreSQL database. This database helps attackers track infections, monitor payments, and manage ransom demands, according to Trend Micro.
Albabat’s Continuous Development Signals Growing Threat
One concerning detail is that Albabat remains under active development. Trend Micro discovered that the configuration files inside the GitHub repository refer to version 2.5, while the ransomware samples detected in live attacks are still on version 2.0.
This ongoing development means Albabat is likely evolving rapidly, adding new features and enhancing its attack methods. Cybersecurity experts warn that this cross-platform ransomware—backed by GitHub’s infrastructure—poses a growing risk to organizations worldwide.
