- These smart glasses beat the Meta Ray-Bans in key ways, and they're $180 ahead Amazon's Spring Sale
- Amazon's Spring Sale starts soon. Here's everything you need to know: Dates, deals, and more
- Goodbye legacy networks, hello “cafe-like” branch
- I switched to Mac Studio M4 for two weeks - a Windows PC user's buying advice
- This mini PC is a powerful alternative to the Mac Mini - and it's on sale
Albabat Ransomware Evolves to Target Linux and macOS
New versions of the Albabat ransomware have been developed, enabling threat actors to target multiple operating systems (OS) and improve the efficiency of attacks.
Trend Micro researchers said ransomware version 2.0 targets not only Microsoft Windows but also gathers system and hardware information on Linux and macOS.
Read now: Eldorado Ransomware Strikes Windows and Linux Networks
This version uses a GitHub account to store and deliver configuration files for ransomware.
This use of GitHub is designed to streamline operations.
The researchers also found evidence of the development of a further Albabat ransomware variant, 2.5, which has currently not been used in the wild.
The findings demonstrate the rapid evolution of ransomware tools and techniques to expand and enhance attacks.
Albabat is a ransomware variant written in Rust, which is used to identify and encrypt files. It was first observed in November 2023.
How the New Albabat Version Works
Trend Micro decoded the new ransomware version to understand its configurations.
Version 2.0.0 only targets certain files for encryption, including themepack, .bat, .com, .cmd, .cpl.
It ignores folders such as Searches, AppData, $RECYCLE.BIN and System Volume Information.
In addition, the new version kills processes such as taskmgr.exe, processhacker.exe, regedit.exe, code.exe, excel.exe, powerpnt.exe, winword.exe and msaccess.exe. This is likely to help evade detection and disable security tools or services that could interfere with the encryption process.
The researchers observed that the ransomware connects to a PostgreSQL database to track infections and payments. This data helps attackers to make ransom demands, monitor infections and sell victims’ data.
Notably, the configurations include commands for Linux and macOS, indicating that binaries have been developed to target these platforms.
The researchers also found that the GitHub repository billdev.github.io is used to store and deliver configuration files for Albaba ransomware.
This GitHub page was created just over a year ago, on February 27, 2024. The account is registered under the name “Bill Borguiann,” which is likely an alias or pseudonym.
Although the repository used by the ransomware is currently private, it remains accessible through an authentication token observed in Fiddler during the connection.
The repository’s commit history demonstrates ongoing active development of the ransomware, with the user primarily modifying the configuration code. The most recent commit was on February 22, 2025.
Another Albaba Variant in Development
A folder named 2.5.x was also discovered in the GitHub repository, which suggests a new version of the ransomware is in development.
No ransomware binary was found in the 2.5.x directory. Instead, a config.json file was observed.
This configuration included newly added cryptocurrency wallets for Bitcoin, Ethereum, Solana and BNB. No transactions have been detected in these wallets yet.
Trend Micro said the findings demonstrate the importance of monitoring indicators of compromise (IoCs) for staying ahead of constantly evolving threats like Albaba.
Tracking IoCs provides insights into attack patterns, enabling the creation of proactive prevention strategies.
Image credit: Stanislaw Mikulski / Shutterstock.com
