Socket's Threat Research Team discovered a remote access trojan (RAT) distributed through three Packagist packages by threat actor nhattuanbl, disguised as Laravel utilities. The packages nhattuanbl/lara-helper and nhattuanbl/simple-queue contain an identical obfuscated PHP RAT payload in helper.php, while nhattuanbl/lara-swagger acts as a clean-looking vector that silently pulls in lara-helper as a Composer dependency. Once loaded, the RAT connects to a C2 server, supports shell execution, file read/write, screenshots, and system reconnaissance, and runs persistently in the background. The payload uses goto spaghetti, hex/octal string encoding, and randomized identifiers to evade static analysis. Affected hosts should be treated as fully compromised, with all secrets rotated and the payload removed. Key takeaways: transitive dependencies deserve the same scrutiny as direct installs, and dev-master constraints are high-risk in production.
Table of contents
The Packages #The Payload #Activation #Self-Launch #C2 Communication #Reconnaissance #Command Set #The Dependency Chain Vector #Impact #Outlook and Recommendations #Indicators of Compromise (IOCs) #MITRE ATT&CK #1 Comment
Sort: