A financially motivated threat actor has been observed exploiting a recently disclosed remote code execution flaw affecting the Craft Content Management System (CMS) to deploy multiple payloads, including a cryptocurrency miner, a loader dubbed Mimo Loader, and residential proxyware.
The vulnerability in question is CVE-2025-32432, a maximum severity flaw in Craft CMS that was patched in versions 3.9.15, 4.14.15, and 5.6.17. The existence of the security defect was first disclosed in April 2025 by Orange Cyberdefense SensePost after it was observed in attacks earlier this February.
According to a new report published by Sekoia, the threat actors behind the campaign weaponized CVE-2025-32432 to obtain unauthorized access to the target systems and then deploy a web shell to enable persistent remote access.
The web shell is then used to download and execute a shell script (“4l4md4r.sh”) from a remote server using curl, wget, or the Python library urllib2.
“Regarding the use of Python, the attacker imports the urllib2 library under the alias fbi. This unusual naming choice may be an intentional reference — possibly a tongue-in-cheek nod to the American federal agency — and stands out as a distinctive coding choice,” Sekoia researchers Jeremy Scion and Pierre Le Bourhis said.
“This naming convention could serve as a useful indicator for detection, especially in threat hunting or retroactive analysis of suspicious Python activity.”
The shell script, for its part, first checks for indicators or prior infection, as well as uninstalls any version of a known cryptocurrency miner. It also terminates all active XMRig processes and other competing cryptomining tools, if any, before delivering next-stage payloads and launching an ELF binary named “4l4md4r.”
The executable, known as Mimo Loader, modifies “/etc/ld.so.preload,” a file read by the dynamic linker, to hide the presence of the malware process (“alamdar.so”). The ultimate goal of the loader is to deploy the IPRoyal proxyware and the XMRig miner on the compromised host.
This allows the threat actor to not only abuse the system resources for illicit cryptocurrency mining, but also monetize the victim’s internet bandwidth for other malicious activities — techniques commonly referred to as cryptojacking and proxyjacking, respectively.
The threat activity has been attributed to an intrusion set dubbed Mimo (aka Hezb), which is believed to be active since March 2022, previously relying on vulnerabilities in Apache Log4j (CVE-2021-44228), Atlassian Confluence (CVE-2022-26134), PaperCut (CVE-2023–27350), and Apache ActiveMQ (CVE-2023-46604) to deploy the miner.
The hacking group, per a report published by AhnLab in January 2024, has also been observed staging ransomware attacks in 2023 using a Go-based strain known as Mimus, which is a fork of the open-source MauriCrypt project.
Sekoia said the exploitation efforts originate from a Turkish IP address (“85.106.113[.]168”) and that it uncovered open-source evidence that points to Mimo being a threat actor who is physically located in the country.
“Initially identified in early 2022, the Mimo intrusion set has been characterised by its consistent exploitation of vulnerabilities for the purpose of cryptominer deployment,” the French cybersecurity company said. “Ongoing investigation confirms that Mimo remains active and operational, continuing to exploit newly disclosed vulnerabilities.”
“The short timeframe observed between the publication of CVE-2025-32432, the release of a corresponding proof-of-concept (PoC), and its subsequent adoption by the intrusion set, reflects a high level of responsiveness and technical agility.”
