Malicious Packagist packages disguised as Laravel utilities install an encrypted PHP RAT via Composer dependencies, enabling remote access and C2 call...

Socket

Socket's Threat Research Team discovered a remote access trojan (RAT) distributed through three Packagist packages by threat actor nhattuanbl, disguised as Laravel utilities. The packages nhattuanbl/lara-helper and nhattuanbl/simple-queue contain an identical obfuscated PHP RAT payload in helper.php, while nhattuanbl/lara-swagger acts as a clean-looking vector that silently pulls in lara-helper as a Composer dependency. Once loaded, the RAT connects to a C2 server, supports shell execution, file read/write, screenshots, and system reconnaissance, and runs persistently in the background. The payload uses goto spaghetti, hex/octal string encoding, and randomized identifiers to evade static analysis. Affected hosts should be treated as fully compromised, with all secrets rotated and the payload removed. Key takeaways: transitive dependencies deserve the same scrutiny as direct installs, and dev-master constraints are high-risk in production.

Malicious Packagist Packages Disguised as Laravel Utilities ...

This is an obfuscated PHP remote-access backdoor / implant.
Key behaviors visible in your snippet:
<ul>
<li>Calls out to a remote C2 server via TCP socket:Host: <code>helper.leuleu.net</code>Port: <code>2096</code>It repeatedly reconnects if it fails (sleep + retry loop).</li>
<li>Encrypted command channel:Uses <code>openssl_encrypt/decrypt</code> with AES-128-CTR.Messages are framed with a 4-byte length + 16-byte IV, then ciphertext.There’s a hardcoded key string:<code>$riz07 = &quot;esCAmxUoJkIjTV0n&quot;</code> (that’s the AES key).</li>
<li>Collects host fingerprint / system info and sends it:OS type (Windows/Mac/Linux), hostname, OS version, current user + uid/gid, script directory, and a “machine id”:Windows: registry <code>MachineGuid</code>macOS: hardware UUIDLinux: <code>/etc/machine-id</code> or <code>/var/lib/dbus/machine-id</code></li>
<li>Implements remote commands (based on the <code>s</code> field in decoded JSON):<code>cmd</code> → run OS commands (Windows cmd)<code>powershell</code> → run commands via PowerShell (Windows)<code>run</code> → executes something / runs a provided command payload<code>upload</code> → writes a file into <code>__DIR__</code> (base64 payload), then <code>chmod 0777``download</code> → reads a file and sends it back base64<code>screenshot</code> → grabs a screenshot (Windows <code>imagegrabscreen()</code>), returns base64 PNG data URI<code>stop</code> → closes socket / stops loop<code>ping</code> / keepalive</li>
<li>Single-instance / lock behavior:Creates a lock file in <code>sys_get_temp_dir()</code> with a long random-looking name ending in <code>.lock</code>.If the lock file exists and is “fresh” (&lt; 15 min), it exits; otherwise it deletes and recreates it.</li>
</ul>
So: it’s a fairly standard PHP RAT that can execute commands, move files, and grab screenshots.