Malicious Packagist packages disguised as Laravel utilities install an encrypted PHP RAT via Composer dependencies, enabling remote access and C2 callbacks.

Published:

3 maart 2026 om 17:22:01

Alert date:

3 maart 2026 om 19:02:51

Source:

socket.dev

Supply Chain & Dependencies, Ransomware & Malware, Web Technologies

Socket's Threat Research Team discovered malicious Packagist packages disguised as Laravel utilities that deploy an encrypted PHP RAT. Threat actor 'nhattuanbl' distributed the RAT across packages lara-helper, simple-queue, and lara-swagger, with the latter pulling in malicious dependencies. The RAT connects to C2 server helper.leuleu.net:2096, performs system reconnaissance, and provides full remote shell access. The payload uses sophisticated obfuscation including goto spaghetti code, hex/octal encoding, and randomized identifiers. Commands include shell execution, file upload/download, screenshots, and PowerShell execution, making it a fully functional backdoor.

Technical details

Socket's Threat Research Team identified a RAT distributed across multiple Packagist PHP packages by threat actor nhattuanbl. Two packages (lara-helper and simple-queue) contain identical RAT payload in src/helper.php file. A third package (lara-swagger) automatically pulls in the RAT via Composer dependency. The payload uses three-layer obfuscation: goto spaghetti control flow, hex/octal string encoding, and randomized identifiers. Once loaded, it spawns detached background process, connects to C2 server at helper.leuleu.net:2096 using encrypted AES-128-CTR communication with hardcoded key 'esCAmxUoJkIjTV0n'. The RAT performs system reconnaissance, supports remote shell execution, file upload/download, screenshots, and provides persistent backdoor access. It uses lock file mechanism to prevent multiple instances and retries C2 connection every 15 seconds indefinitely.

Mitigation steps:

Treat affected hosts as compromised and assume full shell access since installation
Rotate all secrets accessible from application environment (database passwords, API keys, .env values)
Remove the malicious packages and helper.php payload
Check for uploaded files with chmod 0777 permissions
Delete lock file at {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock
Audit outbound traffic to helper.leuleu.net:2096
Flag packages that include non-composer PHP files loaded unconditionally at boot
Review transitive dependencies during package installation
Treat dev-master constraints as high-risk in production environments
Use Socket security tools to scan dependency graphs for malicious packages

Affected products:

nhattuanbl/lara-helper v5.4.7
nhattuanbl/simple-queue v1.5
nhattuanbl/lara-swagger v2.0
Laravel applications using these packages
PHP applications using Packagist packages

Related CVE's:

Related threat actors:

nhattuanbl

IOC's:

helper.leuleu.net:2096, nhattuanbl@gmail.com, https://gitlab.com/nhattuanbl, https://github.com/nhattuanbl, src/helper.php SHA-256: a493ce9509c5180e997a04cab2006a48202afbb8edfa15149a4521067191ead7, {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock, AES-128-CTR encryption key: esCAmxUoJkIjTV0n

This article was created with the assistance of AI technology by Perceptive.