Laravel Supply Chain Attack, SideCopy XenoRAT Campaign, & The Gentlemen RaaS: OTX Pulse Analysis

Recent OTX pulses indicate a surge in diverse, high-impact cyber threats targeting critical infrastructure, software supply chains, and enterprise networks. We are tracking three distinct but concerning campaigns: a sophisticated supply chain attack on the Laravel ecosystem facilitating RCE and data theft; a targeted espionage operation by SideCopy (APT36) against the Afghan Ministry of Finance utilizing XenoRAT; and the aggressive expansion of "The Gentlemen," a new Go-based RaaS operation by Storm-2697 featuring self-propagating capabilities and advanced cryptography.

Threat Actor / Malware Profile

Laravel Lang Compromise

Adversary: Unknown (Suspected credential theft of maintainers).
Malware: helpers.php stealer, DebugChromium.exe.
Distribution: Supply chain compromise via community-maintained language packages (laravel-lang/lang, etc.). Attackers pushed malicious tags to over 700 versions.
Behavior: The backdoor facilitates Remote Code Execution (RCE), allowing attackers to inject the helpers.php stealer. This payload attempts to siphon developer credentials and environment variables, exfiltrating them to attacker-controlled infrastructure.

Operation XENOFISCAL (SideCopy)

Adversary: SideCopy (Transparent Tribe / APT36).
Malware: XenoRAT.
Distribution: Spear-phishing emails containing Pashto-language LNK files disguised as staff directories.
Behavior: The LNK file initiates mshta.exe to fetch remote HTA payloads from compromised Afghan education domains (abimj.edu.af). XenoRAT provides persistent remote access, keylogging, and surveillance capabilities specifically targeting financial governance entities in Afghanistan.

The Gentlemen (Storm-2697)

Adversary: Storm-2697 (Linked to Kazuar).
Malware: The Gentlemen Ransomware (Go-based).
Distribution: Ransomware-as-a-Service (RaaS) model; recruited via underground forums.
Behavior: Utilizes Curve25519 and XChaCha20 for robust per-file encryption. Distinguished by self-propagating capabilities (worm-like behavior) to traverse networks laterally, aiming for broad system compromise rather than single endpoint encryption.

IOC Analysis

The provided indicators cover a wide spectrum of compromise vectors:

Domains & URLs: flipboxstudio.info (C2/Exfil for Laravel) and abimj.edu.af (C2 for SideCopy). SOC teams should immediately block these at the perimeter and recursive resolvers.
IP Addresses: 103.132.98.224 associated with the SideCopy C2 infrastructure.
File Hashes: Multiple SHA256, MD5, and SHA1 hashes for XenoRAT loaders, The Gentlemen encryptor, and information stealers.

Operational Guidance:

EDR/SIEM: Upload all hashes to watchlists. Correlate file creation events with network connections to the listed domains.
Network: The use of abimj.edu.af highlights the risk of "living off the land" or compromising legitimate infrastructure; allow-listing is insufficient. Traffic analysis should look for anomalous large outbound transfers or beaconing patterns to these domains.
Tooling: Use VirusTotal or Hybrid Analysis for deep behavioral inspection of the hash samples. MISP or OpenCTI can be used to correlate these IOCs with known APT36 campaigns.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Laravel Lang Backdoor Execution
id: 8c3f2d1a-1b4c-4a9e-9f0d-5e6f7a8b9c0d
description: Detects the execution of suspicious files associated with the Laravel Lang compromise (helpers.php or DebugChromium.exe) initiated by web server processes or developer environments.
status: experimental
date: 2026/05/31
author: Security Arsenal
tags:
    - attack.initial_access
    - attack.supply_chain
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\php.exe'
            - '\php-cgi.exe'
            - '\node.exe'
    filter_legit:
        CommandLine|contains:
            - 'artisan'
            - 'composer'
    selection_malware:
        CommandLine|contains:
            - 'helpers.php'
            - 'DebugChromium.exe'
    condition: selection and not filter_legit and selection_malware
falsepositives:
    - Legitimate developer testing (rare)
level: high
---
title: SideCopy XenoRAT Spearphishing LNK Execution
id: 7d2e1c9b-0a3d-4f8e-b1e2-3c4d5e6f7a8b
description: Detects execution patterns associated with SideCopy campaigns: LNK files spawning mshta.exe to fetch HTA payloads.
status: experimental
date: 2026/05/31
author: Security Arsenal
tags:
    - attack.initial_access
    - attack.execution
    - attack.t1566.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_lnk:
        Image|endswith: '\explorer.exe'
        CommandLine|contains: '.lnk'
    selection_mshta:
        NewProcessName|endswith: '\mshta.exe'
        CommandLine|contains: '.hta'
    selection_remote:
        CommandLine|contains: 'http'
    condition: all of selection_*
falsepositives:
    - Low
level: critical
---
title: The Gentlemen Ransomware Go Binary Activity
id: 9f4e3d2c-2b5d-5a9f-c2f3-4d5e6f7a8b9c
description: Detects potential activity of The Gentlemen ransomware (Go-based) by identifying unsigned Go binaries performing rapid file modifications or encryption-like behavior.
status: experimental
date: 2026/05/31
author: Security Arsenal
tags:
    - attack.impact
    - attack.t1486
logsource:
    category: process_creation
    product: windows
detection:
    selection_go:
        Company: ''
        Description: ''
        Image|endswith: '.exe'
    selection_crypto:
        CommandLine|contains:
            - 'xchacha20'
            - 'curve25519'
            - 'encrypt'
    selection_behavior:
        Image|contains:
            - '\Temp\'
            - '\AppData\'
    condition: selection_go and 1 of selection_*
falsepositives:
    - Other Go-based security tools
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SideCopy LNK and MSHTA activity
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ((FileName == "explorer.exe" and ProcessCommandLine contains ".lnk") or (FileName == "mshta.exe" and ProcessCommandLine contains ".hta"))
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| join kind=inner (DeviceNetworkEvents | where RemoteUrl has "abimj.edu.af") on DeviceName, Timestamp

// Hunt for Laravel Backdoor IOCs
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has "helpers.php" or ProcessCommandLine has "DebugChromium.exe"
| project Timestamp, DeviceName, AccountName, FolderPath, ProcessCommandLine

// Hunt for The Gentlemen Ransomware File Hashes
DeviceFileEvents
| where Timestamp > ago(7d)
| where SHA256 in ("22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67", "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68")
| project Timestamp, DeviceName, FileName, SHA256, InitiatingProcessAccountName

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt Script for Laravel, SideCopy, and Gentlemen campaigns.
.DESCRIPTION
    Checks DNS cache for C2 domains and running processes for known malicious file hashes.
#>

$MaliciousDomains = @("flipboxstudio.info", "abimj.edu.af")
$MaliciousHashes = @(
    "22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67",
    "fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68",
    "3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01",
    "99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d"
)

Write-Host "[+] Checking DNS Cache for Malicious Domains..." -ForegroundColor Yellow
Get-DnsClientCache | Where-Object { $MaliciousDomains -contains $_.Entry } | Select-Object Entry, Data, Type

Write-Host "[+] Checking Running Processes for Malicious Hashes..." -ForegroundColor Yellow
$Processes = Get-Process
foreach ($Proc in $Processes) {
    try {
        $FullPath = $Proc.Path
        if ($FullPath -and (Test-Path $FullPath)) {
            $FileHash = (Get-FileHash -Path $FullPath -Algorithm SHA256).Hash.ToLower()
            if ($MaliciousHashes -contains $FileHash) {
                Write-Host "[!] ALERT: Malicious process detected: $($Proc.ProcessName) (PID: $($Proc.Id))" -ForegroundColor Red
                Write-Host "    Path: $FullPath" -ForegroundColor Red
            }
        }
    } catch {
        # Ignore access errors for system processes
    }
}

Write-Host "[+] Hunt Complete." -ForegroundColor Green

Response Priorities

Immediate:

Block all listed IOCs (flipboxstudio.info, abimj.edu.af, 103.132.98.224) on firewalls, proxies, and endpoints.
Scan all web servers and developer workstations for the specific Laravel package versions mentioned (laravel-lang/lang, etc.) and revert to known-good commits.
Isolate any endpoints flagging on the XenoRAT or Gentlemen file hashes.

24 Hours:

Conduct credential resets for developer accounts with access to the Laravel repositories, assuming helpers.php may have harvested keys.
Review network logs for any egress connections to the SideCopy C2 infrastructure, specifically looking for data exfiltration patterns from finance department segments.

1 Week:

Implement software composition analysis (SCA) and dependency pinning in CI/CD pipelines to prevent future supply chain injection.
Enhance email filtering for Pashto-language attachments and macro-enabled documents targeting the geographic region of interest.
Review backup immutability strategies given the self-propagating nature of The Gentlemen ransomware.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub