A newly exposed advanced persistent threat (APT) campaign, tracked as RU-APT-ChainReaver-L, is hijacking trusted file-hosting sites and long-standing GitHub accounts to deliver stealthy malware to Windows, macOS, and iOS users at scale.
The campaign abuses popular mirror and file-distribution portals such as Mirrored. to and Mirrorace.org by modifying their code so that visitors looking for legitimate downloads are silently funneled through attacker-controlled redirection chains.
On these sites, users are presented with familiar download layouts, but new “sponsored” or highlighted buttons like “Files DL” or oversized “Download Now / Fast Download” prompts actually send them to malicious infrastructure instead of the intended file hosts.
From there, the infection path branches based on the victim’s operating system, making the operation highly adaptable.
Windows users are redirected to malware-laced archives hosted on common cloud storage platforms such as MediaFire, MegaFile, Dropbox and similar services, often wrapped as installers or software bundles like “VirtualBox-6.1.10” or “Free Download Files.rar.”
Security analysts describe it as one of the largest and most complex supply chain operations seen targeting both regular users and organizational environments in recent years.
Evidence of intrusion and confirming the compromise of this site, the GRAPH Cyber Threat Intelligence (CTI) team conducted a more in-depth investigation.
macOS users are targeted with sophisticated “ClickFix” social-engineering pages that instruct them to copy and run a single Terminal command, which triggers multi-stage, file-less payload delivery and executes infostealing malware in memory.
GitHub Repositories Weaponized
iOS users are driven to an App Store listing for a VPN app whose publisher appears fraudulent, then exposed to phishing flows and malicious pop-ups after installation.
The same infrastructure extends into GitHub, where at least 50 aged or reputable user accounts have been compromised and repurposed to host malicious repositories branded as cracks, unlockers, and activation toolkits for popular software and games.
If the user Selecting One of the Legitimate File-Sharing Services chooses one of the legitimate file-sharing services,they proceed to the next step in the process.
These repositories display polished READMEs, fake user reviews, and bogus VirusTotal “clean” claims, then redirect victims to attacker pages implemented on Google Sites and other trusted platforms before delivering the final malware payloads.
Technical analysis shows that the Windows malware variants act as powerful infostealers, harvesting browser credentials, messenger databases, cryptocurrency wallets, desktop and document files, and more before exfiltrating the data over HTTP to attacker servers.
macOS tools, including a stealer family dubbed MacSync, target browser data, Apple Notes, SSH and cloud keys, and even replace Ledger and Trezor wallet apps with trojanized versions to capture recovery seeds and drain crypto funds.
Many samples use valid code-signing certificates from multiple companies and remain undetected by several mainstream antivirus engines at scan time, significantly complicating traditional defenses.
Mitigations
Researchers estimate that over 100 domains are involved in this campaign, covering infection pages, redirectors, and command-and-control endpoints, with infrastructure, payloads, and passwords frequently rotated to stay ahead of detection.
Users downloaded the malware file by clicking the Download EasyLauncher button. As of the writing of this report, the malware file, named EasyBin.zip.
The operators also lean heavily on legitimate ecosystems GitHub, Google Sites, Dropbox and other well-known services to blend into normal traffic patterns and evade Security Operations Center monitoring.
Organizations are urged to treat user-side supply chain vectors as seriously as classic software supply chain risks, especially where employees routinely download tools, cracks, or media from mirror and code-hosting platforms.
Recommended defenses include extended detection and response (XDR), strict monitoring of file transfers, aggressive filtering or isolation of untrusted downloads, and continuous user awareness training focused on fake “human verification,” terminal one-liner installs, and too-good-to-be-true activation toolkits.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
