Threat Research

Malicious Packagist Packages Disguised as Laravel Utilities …

SocketDev
Malicious Packagist Packages Disguised as Laravel Utilities …

Socket’s Threat Research Team discovered a remote access trojan (RAT) embedded in multiple Packagist PHP packages published by the account nhattuanbl, with identical payloads in nhattuanbl/lara-helper and nhattuanbl/simple-queue and a transitive vector via nhattuanbl/lara-swagger. The RAT spawns a background process at boot/autoload, connects to helper[.]leuleu[.]net:2096 using AES-128-CTR with a hardcoded key, and provides full remote shell, file upload/download, and screen-capture capabilities—affected hosts should be treated as compromised and secrets rotated. #nhattuanbl #lara-helper

Keypoints

  • Socket identified a fully functional RAT delivered in two Packagist packages (nhattuanbl/lara-helper and nhattuanbl/simple-queue) with an identical payload file at src/helper.php.
  • The package nhattuanbl/lara-swagger contains no malicious code itself but declares nhattuanbl/lara-helper as a dev-master dependency, causing the RAT to be pulled in transitively when installed.
  • The payload is heavily obfuscated (goto-based control-flow, hex/octal string encoding, randomized identifiers) and is delivered as a single-line PHP file (SHA-256: a493ce95…).
  • Activation occurs at application boot via a Laravel service provider (auto-discovery) or immediately on autoload (class file include), and the payload self-launches as a detached background process to run the RAT loop.
  • The RAT connects over raw TCP to helper[.]leuleu[.]net:2096 using AES-128-CTR with a hardcoded key, sends system reconnaissance on first connect, and supports remote shell, PowerShell, file upload/download, and screen capture commands.
  • Impact: any Laravel app that installed the malicious packages should be treated as compromised (exposed secrets, persistent backdoor); recommendations include rotating secrets, removing packages and helper.php, deleting the lock file, and auditing outbound traffic.

MITRE Techniques

  • [T1195.001 ] Compromise Software Dependencies and Development Tools – Malicious Packagist packages and transitive installs delivered the RAT; ‘lara-swagger’s composer.json explicitly requires nhattuanbl/lara-helper at dev-master.’
  • [T1059.004 ] Unix Shell – The RAT executes shell commands sent from C2 and returns stdout; ‘cmdRun a shell command, return stdout’.
  • [T1059.001 ] PowerShell – The RAT supports execution of PowerShell commands on Windows hosts; ‘powershellRun a PowerShell command, return stdout’.
  • [T1027 ] Obfuscated Files or Information – The payload uses layered obfuscation to resist analysis (control-flow jumps, hex/octal encoding, randomized identifiers); ‘The payload uses three layered techniques to resist static analysis’.
  • [T1571 ] Non-Standard Port – C2 communication occurs over a non-standard TCP port; ‘connects to helper[.]leuleu[.]net:2096’.
  • [T1041 ] Exfiltration Over C2 Channel – The RAT collects and sends system reconnaissance and command results to the operator over the encrypted C2 channel; ‘On first connection, the RAT collects and transmits a system profile’.
  • [T1105 ] Ingress Tool Transfer – The RAT binary/script is delivered via package installation and included at boot/autoload; ‘The packages ship a fully functional RAT inside a file named helper.php’.
  • [T1113 ] Screen Capture – The RAT can capture the host screen and return it as base64 PNG; ‘screenshotCapture the screen using imagegrabscreen(), return as base64 PNG’.

Indicators of Compromise

  • [Package names ] Malicious Packagist packages – nhattuanbl/lara-helper, nhattuanbl/simple-queue (contain src/helper.php RAT).
  • [Transitive package ] Dependency vector – nhattuanbl/lara-swagger (declares nhattuanbl/lara-helper at dev-master, pulling in the RAT).
  • [Author email ] Threat actor contact – nhattuanbl@gmail[.]com (registered author email on Packagist).
  • [Code repository profiles ] Author profiles – https://gitlab[.]com/nhattuanbl, https://github[.]com/nhattuanbl (profiles associated with the account).
  • [Domain:Port ] C2 server – helper[.]leuleu[.]net:2096 (RAT connects repeatedly to this endpoint for commands and exfiltration).
  • [File hash ] Malicious file SHA-256 – src/helper.php: a493ce9509c5180e997a04cab2006a48202afbb8edfa15149a4521067191ead7.
  • [File paths ] On-disk indicators – src/helper.php (malicious payload location inside packages), {sys_get_temp_dir}/wvIjjnDMRaomchPprDBzzVSpzh61RCar.lock (runtime lock file created by the RAT).

Read more: https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities