Do Son 
Displays commit metadata, including the SHA, author, committer, message, and URLs for related resources | Image: Trend Micro
Researchers at Trend Micro have uncovered new variants of the Albabat ransomware, which now targets not only Windows systems but also devices running Linux and macOS. This evolution marks a significant technical advancement for the threat actor group and a broadening of their potential victim pool. Concurrently, it was revealed that the operators are leveraging GitHub to streamline their infrastructure.
Initial sightings of Albabat date back to late 2023. Recently identified versions 2.0.0 and 2.5 demonstrate capabilities to harvest system and hardware information across multiple popular operating systems. The malware retrieves its configuration via the GitHub REST API, disguising itself as an application signed “Awesome App.” This configuration dictates the ransomware’s behavior and feature set.
Albabat ransomware is designed to bypass numerous system and user directories, thereby avoiding excessive encryption, and instead focuses on files likely to contain valuable information. The list of targeted file extensions spans several dozen types—from executables and configuration files to music libraries and DLLs. The malware also avoids certain system files and forcibly terminates numerous user and system processes, including web browsers, office applications, and process analysis tools.
Data collected by Albabat is transmitted to a Supabase cloud server using PostgreSQL, where information about the infected device, geolocation, user accounts, and infection status is stored. This database enables threat actors to monitor the spread of the ransomware, manage ransom payments, and potentially facilitate further monetization through data resale.
A particularly notable aspect of the operation is the method used to fetch configurations. The malware accesses a private GitHub repository via a closed authorization token. The repository, named billdev1.github.io, was created in February 2024 by a user going by the alias “Bill Borguiann.” Commit history shows heightened activity in August and September 2024, suggesting ongoing refinement of the malware’s configuration logic. The developer’s email is linked to the domain morke[.]org, which analysts believe may point to a centralized infrastructure maintained by the group.
Additionally, a directory named 2.5.x was discovered within the repository, likely referencing an unreleased version of the ransomware. Inside is an updated configuration file containing newly added cryptocurrency wallets—Bitcoin, Ethereum, Solana, and BNB. As of now, no transactions have been observed, indicating that the variant may still be in its testing phase.
GitHub serves as a centralized repository for critical components, allowing attackers to reduce operational costs and complexity while maintaining resilience and avoiding detection by conventional intrusion detection systems.
Trend Micro recommends that organizations remain vigilant for indicators of compromise, as early threat detection enables swifter response and damage mitigation. Recommended countermeasures include regular backups, network segmentation, timely patch management, and employee training to recognize phishing threats.
The emergence of these Albabat variants underscores the deliberate evolution of ransomware toolkits, with a clear intent to maximize reach across platforms. The use of legitimate platforms like GitHub complicates detection and remediation, demanding greater agility and precision from modern defense systems.
