A sophisticated cyberattack has recently emerged, affecting users across various operating systems by exploiting trusted mirror websites and GitHub repositories. This extensive supply chain attack, known as RU-APT-ChainReaver-L, targets Windows, macOS, and iOS platforms simultaneously, making it one of the most complex threats identified to date.
Advanced Techniques and Compromised Infrastructure
The attackers employ intricate methods such as code signing with legitimate certificates, misleading redirect chains, and malware dissemination via reputable cloud services, complicating detection efforts by standard security systems. The campaign’s infrastructure is notably large and intricate, with attackers compromising two prominent file-sharing mirror services: Mirrored.to and Mirrorace.org, which are extensively used by software download sites worldwide.
By embedding malicious code into these platforms, the threat actors have effectively turned trusted infrastructures into vectors for deploying infostealer malware. Users attempting to download files through these compromised services are redirected through numerous intermediary pages, designed to evade security measures while maintaining an appearance of legitimacy.
Detection and Analysis by GRAPH Researchers
GRAPH analysts uncovered this campaign while examining a surge in user credentials on dark web marketplaces. Their investigation traced these stolen accounts to a coordinated infection operation that had been active for several months. Using their Extended Detection and Response platform and threat hunting operations, GRAPH researchers exposed an attack infrastructure encompassing over 100 domains, including command-and-control servers and redirection intermediaries.
The campaign’s operators constantly update their tools and infrastructure, frequently altering malware signatures and delivery methods to evade antivirus detection. The attack methodology varies based on the victim’s operating system, with Windows users redirected to cloud storage services like MediaFire and Dropbox, where password-protected archives contain signed malware. macOS users encounter ClickFix attacks involving deceptive pages that prompt manual execution of terminal commands to download and install MacSync Stealer malware. iOS users are misled into downloading fraudulent VPN applications from the Apple App Store, which then launch phishing attacks against their devices.
Exploitation of GitHub and Malware Impact
The campaign’s exploitation of GitHub highlights a sophisticated understanding of security team vulnerabilities. GRAPH researchers observed that attackers compromised 50 GitHub accounts, many established years ago, to host malicious repositories. These accounts, primarily hijacked in November 2025, were repurposed to distribute cracked software and activation tools, especially targeting users seeking pirated software.
The Windows malware acts as an infostealer, capturing screenshots, extracting cryptocurrency wallet data, messenger databases, browser credentials, and copying files from Desktop, Documents, and Downloads folders. GRAPH analysts reported that samples include valid code signing certificates from multiple companies, significantly hindering detection efforts.
Mitigation Strategies and Future Outlook
Organizations should adopt comprehensive defense strategies, with user education as a critical layer, since infections heavily rely on social engineering. Security teams must implement multi-layered endpoint protection, including EDR systems capable of detecting unusual process behaviors and suspicious file access patterns. Network monitoring should focus on connections to file-sharing services and newly registered domains.
Restricting direct internet access for user systems and routing downloads through file analysis platforms using static and dynamic analysis and machine learning is essential. As the cyber threat landscape continues to evolve, staying informed and vigilant is crucial for safeguarding against such sophisticated attacks.
