RU-APT-ChainReaver-L: A Sophisticated Cross-Platform Supply Chain Attack Targeting Trusted Websites and GitHub Repositories
A highly sophisticated cyber threat, dubbed RU-APT-ChainReaver-L, has emerged, targeting users across multiple operating systems by compromising trusted mirror websites and GitHub repositories. This campaign represents one of the most elaborate supply chain attacks identified recently, affecting Windows, macOS, and iOS platforms simultaneously. Employing advanced techniques such as code signing with valid certificates, deceptive redirect chains, and malware distribution through legitimate cloud services, the attackers have made detection exceptionally challenging for traditional security systems.
Compromised Infrastructure and Attack Methodology
The attackers have infiltrated two major file-sharing mirror services—Mirrored.to and Mirrorace.org—which are widely utilized by software download websites globally. By injecting malicious code into these platforms, the threat actors have transformed trusted infrastructure into delivery mechanisms for infostealer malware. When users attempt to download files through these compromised services, they are redirected through multiple intermediary pages designed to bypass security detection while maintaining an appearance of legitimacy.
GRAPH analysts identified this campaign while investigating a significant volume of user credentials appearing on dark web marketplaces. The research team traced these stolen accounts back to a coordinated infection operation that had been active for several months. Through their Extended Detection and Response platform and threat hunting operations, GRAPH researchers uncovered an attack infrastructure spanning over 100 domains, including command-and-control servers, infection pages, and redirection intermediaries. The campaign’s operators continuously update their tools and infrastructure, modifying malware signatures and delivery methods at short intervals to evade antivirus detection.
Platform-Specific Attack Vectors
The attack methodology varies depending on the victim’s operating system:
– Windows Users: Victims are redirected to cloud storage services like MediaFire and Dropbox, where password-protected archives contain signed malware that appears legitimate to security software.
– macOS Users: Victims encounter deceptive pages that trick them into manually executing terminal commands, leading to the download and installation of the MacSync Stealer malware.
– iOS Users: Victims are directed to fraudulent VPN applications on the Apple App Store that subsequently launch phishing attacks against their devices.
Exploitation of GitHub Repositories
The campaign’s use of GitHub demonstrates a sophisticated understanding of security team blind spots. GRAPH researchers noted that attackers compromised 50 GitHub accounts—many registered years ago with established histories—to host malicious repositories. These accounts were predominantly hijacked in November 2025 and repurposed to distribute cracked software and activation tools, specifically targeting users searching for pirated software.
Malware Capabilities
The Windows malware operates as an infostealer, capturing screenshots, extracting cryptocurrency wallet data, messenger databases, browser credentials, and copying files from Desktop, Documents, and Downloads folders. GRAPH analysts noted that samples include valid code signing certificates from multiple companies, significantly complicating detection efforts.
The macOS MacSync Stealer operates filelessly in memory, collecting browser data, cryptocurrency wallets including Ledger and Trezor, SSH keys, and other sensitive information. Its fileless nature makes it particularly challenging to detect and remove.
Recommendations for Mitigation
Given the sophistication and cross-platform nature of the RU-APT-ChainReaver-L campaign, users and organizations are advised to:
1. Exercise Caution with Downloads: Avoid downloading software from untrusted sources or mirror websites. Always verify the authenticity of the source before downloading.
2. Regularly Update Software: Ensure that all operating systems and applications are up to date with the latest security patches.
3. Implement Advanced Security Solutions: Utilize comprehensive security solutions that offer behavior-based detection to identify and mitigate sophisticated threats.
4. Monitor for Unusual Activity: Regularly monitor systems for unusual activity, such as unexpected redirects or unauthorized access attempts.
5. Educate Users: Provide training to users about the risks of downloading software from untrusted sources and the importance of verifying the authenticity of software and updates.
By implementing these measures, individuals and organizations can enhance their defenses against sophisticated supply chain attacks like RU-APT-ChainReaver-L.
