Through hacked mirror websites and GitHub repositories, a sophisticated cyber threat has surfaced that targets users on various operating systems. One of the most complex supply chain attacks recently discovered is the RU-APT-ChainReaver-L campaign, which simultaneously affects the Windows, macOS, and iOS platforms. By using sophisticated tactics like code signing with legitimate certificates, misleading redirect chains, and malware distribution via reputable cloud services, this campaign makes it very challenging for conventional security systems to detect.

The infrastructure of the campaign is incredibly large and intricate. Two popular file-sharing mirror services that are utilized by software download websites all over the world, Mirrorace.org and Mirrored.to, have been compromised by attackers. The threat actors successfully converted reliable infrastructure into infostealer malware delivery systems by inserting malicious code into these platforms.

Users are redirected through a number of intermediary pages intended to evade security detection while preserving the appearance of legitimacy when they try to download files using these compromised services. While looking into a sizable number of user credentials showing up on dark web marketplaces, GRAPH analysts discovered this campaign. These compromised accounts were linked by the research team to a well-planned infection campaign that had been going on for a few months.

GRAPH researchers discovered an attack infrastructure that included command-and-control servers, infection pages, and redirection intermediaries across more than 100 domains through their Extended Detection and Response platform and threat hunting activities. \ The operators of the campaign update their infrastructure and tools frequently, changing malware delivery methods and signatures at short intervals to avoid detection by antivirus software.

Depending on the victim's operating system, different attack techniques are used. Cloud storage services like MediaFire and Dropbox divert Windows users to password-protected archives that contain signed malware that looks authentic to security software. ClickFix attacks, in which fraudulent websites fool users into manually running terminal commands that download and install the MacSync Stealer malware, are experienced by macOS victims.

iOS users are redirected to phony VPN apps on the App Store, which then target their devices with phishing scams. Malware and Exploitation Potential of GitHub The use of GitHub by the campaign shows a deep comprehension of the blind spots of security teams. According to GRAPH researchers, 50 GitHub accounts—many of which were created years ago and had established histories—were compromised by attackers in order to host malicious repositories.

Targeting users looking for pirated software, these accounts were primarily taken over in November 2025 and used to distribute cracked software and activation tools. Flow of Attack (Source: GRAPH) As an infostealer, the Windows malware takes screenshots, copies files from the Desktop, Documents, and Downloads folders, and retrieves information from messenger databases, cryptocurrency wallets, and browser credentials. GRAPH analysts pointed out that samples contain legitimate code signing certificates from several different businesses, which makes detection much more difficult.

Supply Chain Attack on MIRRORACE.org (Source: GRAPH) SSH keys, AWS credentials, cryptocurrency wallets like Ledger and Trezor, and browser data are all gathered by the macOS MacSync Stealer, which runs filelessly in memory. Organizations ought to put comprehensive defense plans into action. Given that infections rely on social engineering, user education is the most important layer.

Multi-layered endpoint protection, including EDR systems that can identify odd process behaviors and questionable file access patterns, should be implemented by security teams. Connections to file-sharing services and recently registered domains should be the main focus of network monitoring. Companies should limit user systems' direct access to the internet and direct downloads via file analysis platforms that use machine learning, static analysis, and dynamic analysis.

Figure 3: To obtain more immediate updates, set ZeroOwl as a preferred source in Google and visit MIRRORED.to Supply Chain Attack (Pictures 8, 10, 11, 14, and 18), LinkedIn, and X.