A new cross-platform threat has emerged in the ransomware landscape as researchers uncover new versions of Albabat ransomware targeting Windows, Linux, and macOS systems simultaneously.
The ransomware operators have implemented a sophisticated approach to manage their operations through GitHub repositories, making it easier to update configurations and track infected systems across different operating systems.
The ransomware, previously known to target only Windows systems, has expanded its capabilities significantly with versions 2.0.0 and 2.5 discovered in the wild.
Trend Micro researchers identified that these newer variants retrieve their configuration data through the GitHub REST API using a specific “User-Agent” string labeled “Awesome App,” allowing operators to modify ransomware behavior remotely without requiring new binary deployments.
Analysis of network traffic reveals how the ransomware connects to GitHub repositories to download crucial configuration files.
The HTTP GET request used to retrieve configuration data from the billdev1 GitHub account, which hosts the malware’s operational parameters.
The ransomware is programmed to avoid encrypting certain system folders and files while targeting valuable user data.
It also terminates numerous processes including productivity applications, browsers, and system utilities to ensure encryption proceeds without interference.
The configuration details extracted from GitHub show that Albabat collects extensive system information from victims, including hardware specifications and user details.
Perhaps most concerning is the ransomware’s cross-platform functionality, with commands specifically designed for Linux and macOS systems, which displays scripts used to gather hardware and system information on these operating systems.
The GitHub repository billdev1.github.io forms the core of Albabat’s infrastructure, created in February 2024 according to the commit history.
This account shows consistent development activity with increased commits during August and September 2024, particularly between 00:00 to 04:00 UTC and 12:00 to 16:00 UTC as illustrated in Figure 9.
The latest version under development, identified as v2.5.x in the repository, includes updated configurations with new cryptocurrency wallets.
The configuration file reveals Bitcoin, Ethereum, Solana, and BNB addresses designated for ransom payments:-
"coin": {
"btc": {
"name": "B1tco1n",
"address": "bciqnv3ksiqx564u6xk9xruixeceu5zvhnp7q6myzk",
"amount": "0.0018"
},
"eth": {
"name": "Ethereum",
"address": "0x43d880e2966a062fAr350A574cr3da0d9c6c5F24",
"amount": "0.04525435"
}
}While no transactions have been detected in these wallets yet, their presence indicates the operators are preparing for a potential increase in attacks leveraging their cross-platform capabilities.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Microsoft reported a DNS-related outage on October 29, 2025, affecting access to key services, including…
A groundbreaking security vulnerability has emerged that fundamentally challenges the integrity of modern trusted execution…
Tel Aviv, Israel, October 29th, 2025, CyberNewsWire Sweet Security Brings Runtime-CNAPP Power to Windows Sweet…
Amazon Web Services encountered significant operational challenges in its US-EAST-1 region on October 28, 2025,…
A critical cross-site scripting (XSS) vulnerability has been discovered in the popular LiteSpeed Cache plugin…
A new open-source tool called HikvisionExploiter has emerged, designed to automate attacks on vulnerable Hikvision…