Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

Key Takeaways

• Threat actor 'nhattuanbl' published malicious PHP packages disguised as Laravel utilities to deploy an encrypted RAT.
• The payload executes automatically via Composer's auto-discovery or PHP's autoloader, requiring no direct instantiation by the victim.
• A clean package (lara-swagger) acts as a vector by declaring the malicious lara-helper package as a dev-master dependency.
• The RAT communicates with a C2 server over raw TCP using AES-128-CTR encryption and supports shell execution, file operations, and screen capture.
• The payload is highly obfuscated using goto spaghetti, hex/octal string encoding, and randomized identifiers.

Affected Systems

• Laravel applications
• PHP environments
• Windows
• macOS
• Linux

Attack Chain

The attacker published malicious PHP packages (lara-helper, simple-queue) to Packagist, disguised as Laravel utilities. Upon installation, the payload (src/helper.php) is executed automatically via Composer's auto-discovery or PHP's autoloader. The script spawns a detached background process, establishes an AES-encrypted raw TCP connection to the C2 server (helper.leuleu.net:2096), and sends system reconnaissance data. The RAT then listens for JSON-formatted commands to execute shell commands, manipulate files, or capture screenshots.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Socket

Socket provides detection for these malicious packages via its scanner, GitHub App, CLI, Firewall, and browser extension, flagging the backdoor capabilities and dependency risks.

Detection Engineering Assessment

EDR Visibility: Medium — EDRs can detect the spawned shell processes (e.g., sh, cmd, powershell) originating from the PHP/web server process, but may lack visibility into the PHP-level execution and raw TCP socket communications. Network Visibility: High — The RAT communicates over raw TCP on a non-standard port (2096) with a specific wire format (4-byte length, 16-byte IV, encrypted JSON), which can be fingerprinted or blocked. Detection Difficulty: Moderate — While the obfuscation and auto-execution make static analysis and initial discovery difficult, the persistent outbound connection to port 2096 and child processes spawned by PHP are strong behavioral indicators.

Required Log Sources

• Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
• Network Traffic Logs
• Web Server Access/Error Logs
• File Integrity Monitoring

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for PHP or web server processes spawning unexpected shell interpreters (cmd.exe, powershell.exe, sh, bash) which may indicate remote command execution.	Process Creation (Sysmon Event ID 1)	Execution	Medium
Identify persistent outbound network connections from web server processes to non-standard ports (e.g., 2096) over raw TCP.	Network Connections	Command and Control	Low
Search for the creation of suspicious lock files in the system temporary directory matching the pattern 'wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock'.	File Creation	Persistence	Low

Control Gaps

• Lack of dependency scanning in CI/CD pipelines
• Permissive egress network filtering allowing outbound traffic on port 2096

Key Behavioral Indicators

• PHP process spawning detached background copies of itself with 'helper' argument
• Web server process initiating outbound TCP connections to port 2096
• Files created with 0777 permissions by the web server user

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Remove the malicious packages (nhattuanbl/lara-helper, nhattuanbl/simple-queue, nhattuanbl/lara-swagger) and the helper.php payload.
• Delete the lock file at {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock.
• Block outbound traffic to helper.leuleu.net and port 2096.
• Rotate all secrets accessible from the application environment (database passwords, API keys, .env values).

Infrastructure Hardening

• Implement strict egress filtering to block outbound connections from web servers on non-standard ports.
• Disable unnecessary PHP functions (e.g., exec, system, shell_exec, passthru, popen, proc_open) using disable_functions in php.ini if not required by the application.

User Protection

• N/A

Security Awareness

• Educate developers on the risks of transitive dependencies and the dangers of using dev-master constraints in production environments.
• Implement automated dependency scanning in CI/CD pipelines to catch malicious packages before deployment.

MITRE ATT&CK Mapping

• T1195.001 - Compromise Software Dependencies and Development Tools
• T1059.004 - Unix Shell
• T1059.001 - PowerShell
• T1027 - Obfuscated Files or Information
• T1571 - Non-Standard Port
• T1041 - Exfiltration Over C2 Channel
• T1105 - Ingress Tool Transfer
• T1113 - Screen Capture

Additional IOCs

• Domains:
  • helper[.]leuleu[.]net - C2 server domain
• Urls:
  • hxxps://gitlab[.]com/nhattuanbl - Threat actor GitLab profile
  • hxxps://github[.]com/nhattuanbl - Threat actor GitHub profile
• File Hashes:
  • a493ce9509c5180e997a04cab2006a48202afbb8edfa15149a4521067191ead7 (SHA256) - src/helper.php RAT payload
• File Paths:
  • {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock - Mutex/lock file to prevent multiple RAT instances
• Other:
  • nhattuanbl/lara-helper - Malicious Packagist package containing the RAT
  • nhattuanbl/simple-queue - Malicious Packagist package containing the RAT
  • nhattuanbl/lara-swagger - Clean package acting as a dependency vector for the RAT via dev-master constraint
  • esCAmxUoJkIjTV0n - Hardcoded AES-128-CTR encryption key for C2 communication