{ "Event": { "analysis": "1", "date": "2026-03-03", "extends_uuid": "", "info": "[Threat Intel] Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT", "protected": false, "publish_timestamp": "1772824070", "published": true, "threat_level_id": "2", "timestamp": "1772824069", "uuid": "e4d7b43c-0c82-40eb-9115-580e8c429524", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-original-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#8ee8d8", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Screen Capture - T1113\"", "relationship_type": "" }, { "colour": "#201172", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Dependencies and Development Tools - T1195.001\"", "relationship_type": "" }, { "colour": "#a9f8b1", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration Over C2 Channel - T1041\"", "relationship_type": "" }, { "colour": "#755c09", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"PowerShell - T1059.001\"", "relationship_type": "" }, { "colour": "#7628f7", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Unix Shell - T1059.004\"", "relationship_type": "" }, { "colour": "#f07d7c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Non-Standard Port - T1571\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772622007", "to_ids": false, "type": "link", "uuid": "d491abb6-c2a9-478f-ad9e-2d7cc0f512fd", "value": "https://socket.dev/blog/malicious-packagist-packages-disguised-as-laravel-utilities", "Tag": [ { "colour": "#6b003a", "local": true, "name": "workflow:todo=\"create-missing-misp-galaxy-cluster\"", "relationship_type": "" } ] }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1772622007", "to_ids": false, "type": "text", "uuid": "f662df67-1cb4-483e-bed3-f95997ae194c", "value": "A remote access trojan (RAT) has been discovered in multiple Packagist packages published by the threat actor nhattuanbl. The malicious packages, disguised as Laravel utilities, install an encrypted PHP RAT via Composer dependencies. The payload connects to a C2 server, sends system reconnaissance data, and awaits commands, granting full remote access to the host. The RAT uses obfuscation techniques to resist analysis and employs a self-launch mechanism. It communicates with the C2 server using encrypted JSON messages and supports various commands for system control and data exfiltration. The attack vector leverages dependency chains, with clean-looking packages pulling in malicious ones. Affected systems should be treated as compromised, with recommendations provided for mitigation and prevention." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1772622007", "to_ids": false, "type": "text", "uuid": "5cdeda3e-2fc4-49c9-b369-e378cadf1cc5", "value": "Name: Malicious Packagist Packages Disguised as Laravel Utilities Deploy Encrypted RAT\nAuthor: AlienVault\nAdversary: nhattuanbl\nTags: [\"laravel\", \"php\", \"packagist\", \"rat\", \"dependency-chain\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1113\", \"T1195.001\", \"T1041\", \"T1059.001\", \"T1059.004\", \"T1571\", \"T1027\", \"T1105\"]\nIndustries: []" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1772622007", "to_ids": false, "type": "threat-actor", "uuid": "fc6d587e-a302-43b1-8a5e-6416a9e3bcd3", "value": "nhattuanbl" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772814035", "to_ids": true, "type": "url", "uuid": "83b27ba8-31e6-4fb3-853e-9cb4167de03f", "value": "http://helper.leuleu.net:2096", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772814056", "to_ids": true, "type": "hostname", "uuid": "3e49d4e4-bcd6-4583-82c4-d786e0c3ee78", "value": "helper.leuleu.net", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "Threat Actor Registered email address", "deleted": false, "disable_correlation": false, "timestamp": "1772805985", "to_ids": true, "type": "email-src", "uuid": "a62643b2-2551-4e21-b851-d020ff2665f7", "value": "nhattuanbl@gmail.com" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772814077", "to_ids": true, "type": "url", "uuid": "d7c3db7a-ff20-443a-86fa-2a655a82dc49", "value": "https://gitlab.com/nhattuanbl", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1772814099", "to_ids": true, "type": "url", "uuid": "9c0fc5ae-2bd1-4e8e-ba89-7e8950f8dea0", "value": "https://github.com/nhattuanbl", "Tag": [ { "colour": "#2c2142", "local": false, "name": "false-positive:risk=\"high\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1772814120", "uuid": "0e0b8b73-7de7-49ac-9b7d-d0d7428d46a7", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1772814120", "to_ids": true, "type": "md5", "uuid": "768f6f19-492c-4c02-9c4e-7274f1e59c07", "value": "dbbdde297d87088e2e4972ecd5d6048f", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1772809670", "to_ids": true, "type": "sha1", "uuid": "1b6201d7-c7a0-43b5-8710-b5605fc3d437", "value": "8aa61f3e996db84e9eb20f231c33480101b638c7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1772809670", "to_ids": true, "type": "sha256", "uuid": "4d8533bb-29e1-4618-9d76-371276768138", "value": "a493ce9509c5180e997a04cab2006a48202afbb8edfa15149a4521067191ead7", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#260093", "local": false, "name": "rectifyq:ioc=\"no-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1772808493", "to_ids": true, "type": "ssdeep", "uuid": "00aeb487-e11a-40e5-a4fe-0245fcb829e9", "value": "384:SrlJKU+cfRxKnKSriliMFSs4NJ7XV2MbwSCPBOuWElpLrN/3JQ7Rz0/FF/C:4JVfRx0KSriwMyJ7l1XChPbLlz/FFa" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1772808493", "to_ids": false, "type": "size-in-bytes", "uuid": "901d1efa-c746-4dc2-9908-34b324c8621c", "value": "27340" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1772808493", "to_ids": true, "type": "filename", "uuid": "ad7d9723-c123-4ff6-b370-4ae46c27d802", "value": "QpJPOlQnFGA6ZegTKsgBqSCAq-7jt-hUUmkUhBnGR6tc" }, { "category": "Other", "comment": "Checked: 06/03/2026\nLast-scan\t: 05/03/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1772808493", "to_ids": false, "type": "text", "uuid": "a2ed81d9-979d-40a6-97af-8f9e04da7382", "value": "Type Description: PHP\nMicrosoft: None\nVT Total Detection:0/62\nFirst Submission:2026-03-03T19:02:07.000000+00:00\nLast Submission:2026-03-03T19:02:07.000000+00:00" } ] } ] } }