Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT background
Back to Journal
Threat Intelligence

Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT

Adayptus Threat Intelligence
Mar 06, 2026
4 min read

A sophisticated supply chain attack targets PHP developers. Discover how malicious Packagist packages disguised as Laravel utilities install a cross-platform RAT, granting attackers full remote access.

The integrity of the open-source software supply chain is under constant assault. Recently, cybersecurity researchers have identified a sophisticated campaign distributing a cross-platform Remote Access Trojan (RAT) via compromised Composer dependencies. This attack highlights the critical need for vigilance when integrating third-party libraries into enterprise applications.

Researchers at Socket have detailed how malicious Packagist packages disguised as Laravel utilities are being used to compromise Windows, macOS, and Linux systems.

1 The Threat Profile: Deceptive Packages

The threat actor, tracked as nhattuanbl, published several packages to the PHP package registry. To build credibility, they initially released clean libraries before introducing the malicious ones. The key packages involved in this campaign are:

  • nhattuanbl/lara-helper (Contains the RAT payload)
  • nhattuanbl/simple-queue (Contains the RAT payload)
  • nhattuanbl/lara-swagger (Clean code, but acts as a vector)

The most insidious aspect of this attack is the dependency chain vector. The package lara-swagger contains no malicious code itself. However, its composer.json file explicitly requires nhattuanbl/lara-helper at dev-master. Installing the seemingly benign lara-swagger silently pulls the RAT into the victim's environment, bypassing superficial security reviews.

2 Technical Deep Dive: Obfuscation and Execution

The malicious payload resides in a file deceptively named src/helper.php. This file employs three layered techniques to thwart static analysis:

  • Goto Spaghetti Logic: Control flow is aggressively fractured into hundreds of labeled jumps, destroying readable top-to-bottom execution paths.
  • String Encoding: Vital indicators like domain names and commands are encoded using hex and octal escape sequences.
  • Randomized Identifiers: Variables and functions utilize randomly generated names, further confusing analysts and automated scanners.

Activation Mechanisms

The payload is designed to execute seamlessly without requiring manual intervention from the developer. In lara-helper, it leverages Laravel's service provider auto-discovery, running the malicious code on every application boot. In simple-queue, the inclusion sits at the file scope, meaning the moment PHP's autoloader resolves the class (even during a simple type-hint check), the payload is triggered.

Upon execution, it spawns a detached background process and creates a temporary lock file to prevent multiple instances, allowing normal application execution to continue unnoticed.

3 C2 Communication and Capabilities

The RAT connects to a Command and Control (C2) server over raw TCP. To evade detection, all traffic is encrypted using AES-128-CTR with a hardcoded key. It persistently attempts to connect, retrying every 15 seconds if it fails.

The RAT boasts extensive capabilities, receiving JSON-formatted commands from the C2 server to execute actions such as:

Command Functionality
info Transmits system reconnaissance data (OS, hostname, UID, permissions).
cmd / powershell Executes arbitrary shell or PowerShell commands.
screenshot Captures the screen using PHP's imagegrabscreen().
upload / download Reads or writes files to disk, modifying permissions as needed.

Crucially, the RAT dynamically probes PHP's disable_functions directive and cycles through execution functions (popen, proc_open, exec, shell_exec, system, passthru) until it finds an available method, making it highly resilient to common server hardening configurations.

4 Business Impact and Remediation

The impact of installing these packages is severe. Because the RAT runs within the context of the web application, the attacker gains full access to the environment variables, including highly sensitive data such as database credentials, API keys, and .env file contents. They possess persistent remote shell access across Windows, macOS, and Linux platforms.

Immediate Actions for Affected Organizations:

  1. Assume Compromise: Treat any host that installed these packages as fully compromised.
  2. Rotate Secrets: Immediately rotate all credentials accessible from the application environment.
  3. Remove Packages: Uninstall the malicious dependencies and delete the helper.php payload.
  4. Audit Traffic: Review outbound network logs for connections to the C2 domain (helper.leuleu[.]net:2096).

Secure Your Software Supply Chain

Proactive DevSecOps Consulting

This attack underscores the dangers of transitive dependencies and the risks of using dev-master versions in production environments. Traditional vulnerability scanners often miss obfuscated, logic-based malware embedded deep within dependency trees.

At Adayptus Consulting, we integrate robust DevSecOps practices to safeguard your software development lifecycle. From advanced static and dynamic analysis to architectural security reviews, we help you build resilient applications.


Share this Insight
CybersecurityThreat IntelligenceAdayptus Intelligence
A

Adayptus Threat Intelligence

Strategic Intelligence Division

Adayptus Consulting is a premier provider of enterprise cybersecurity solutions, specializing in Managed SOC, Penetration Testing, and GRC strategy. Our intelligence division regularly publishes research to help CISOs navigate the evolving threat landscape.

Executive Intelligence Briefing

Join top security executives receiving our curated analysis of zero-days, compliance shifts, and architectural vulnerabilities—delivered completely ad-free.

Zero Spam. Unsubscribe Anytime.