The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS
Essential information
- Published
- 27/05/2025 19:02
- Modified
- 28/05/2025 13:14
- Tags
- 2025-05-27 CVE-2025-32432 craft cms cryptomining iproyal minus ransomware residential proxy webshell xmrig
- Related entities
- 2 vulnerabilities (cve), 8 observables, 1 intrusion sets (apt), 8 techniques (mitre), 3 malware, 1 others
Description
Between February and May, multiple exploitations of CVE-2025-32432, a Remote Code Execution vulnerability in Craft CMS, were observed. The attack chain involves deploying a webshell, downloading an infection script, and executing malicious payloads including a loader, crypto miner, and residential proxyware. The Mimo intrusion set is believed responsible, using distinctive identifiers like '4l4md4r' and 'n1tr0'. The group deploys XMRig for cryptomining and IPRoyal for bandwidth monetization. Two potential operators, 'EtxArny' and 'N1tr0', were identified through social media analysis. While showing interest in Middle Eastern affairs, the group's primary motivation appears financial. Detection opportunities include monitoring for unusual processes in temporary directories and kernel module alterations.