RU-APT-ChainReaver-L Hijacks Trusted Websites and GitHub Repos in

A sophisticated cyber threat is now actively exploiting compromised mirror websites and GitHub repositories. It targets users across multiple operating systems.

The RU-APT-ChainReaver-L campaign represents one of the most elaborate supply chain attacks identified recently, affecting Windows, macOS, and iOS platforms simultaneously.

This campaign employs advanced techniques including code signing with valid certificates, deceptive redirect chains, and malware distribution through legitimate cloud services, making detection exceptionally difficult for traditional security systems.

The campaign’s infrastructure demonstrates remarkable scale and complexity. Attackers have compromised two major file-sharing mirror services—Mirrored.to and Mirrorace.org—which are widely used by software download websites globally.

By injecting malicious code into these platforms, the threat actors effectively transformed trusted infrastructure into delivery mechanisms for infostealer malware.

When users attempt to download files through these compromised services, they are redirected through multiple intermediary pages designed to bypass security detection while maintaining an appearance of legitimacy.

GRAPH analysts identified this campaign while investigating a significant volume of user credentials appearing on dark web marketplaces.

The research team traced these stolen accounts back to a coordinated infection operation that had been active for several months.

Through their Extended Detection and Response platform and threat hunting operations, GRAPH researchers uncovered an attack infrastructure spanning over 100 domains, including command-and-control servers, infection pages, and redirection intermediaries.

The campaign’s operators continuously update their tools and infrastructure, modifying malware signatures and delivery methods at short intervals to evade antivirus detection.

The attack methodology varies depending on the victim’s operating system. Windows users are redirected to cloud storage services like MediaFire and Dropbox, where password-protected archives contain signed malware that appears legitimate to security software.

macOS victims encounter ClickFix attacks, where deceptive pages trick users into manually executing terminal commands that download and install the MacSync Stealer malware.

iOS users are directed to fraudulent VPN applications on the Apple App Store that subsequently launch phishing attacks against their devices.

GitHub Exploitation and Malware Capabilities

The campaign’s use of GitHub demonstrates sophisticated understanding of security team blind spots.

GRAPH researchers noted that attackers compromised 50 GitHub accounts—many registered years ago with established histories—to host malicious repositories.

These accounts were predominantly hijacked in November 2025 and repurposed to distribute cracked software and activation tools, specifically targeting users searching for pirated software.

The Windows malware operates as an infostealer, capturing screenshots, extracting cryptocurrency wallet data, messenger databases, browser credentials, and copying files from Desktop, Documents, and Downloads folders.

GRAPH analysts noted that samples include valid code signing certificates from multiple companies, significantly complicating detection efforts.

The macOS MacSync Stealer operates filelessly in memory, collecting browser data, cryptocurrency wallets including Ledger and Trezor, SSH keys, and AWS credentials.

Organizations should implement comprehensive defense strategies. User education represents the most critical layer, as infections rely on social engineering.

Security teams should deploy multi-layered endpoint protection including EDR systems capable of detecting unusual process behaviors and suspicious file access patterns.

Network monitoring should focus on connections to file-sharing services and newly registered domains.

Organizations should restrict direct internet access for user systems, routing downloads through file analysis platforms employing static analysis, dynamic analysis, and machine learning.

Figure 3: MIRRORED.to Supply Chain Attack (Pic8, Pic10, Pic11, Pic14, Pic18)

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.