Listen to this Post
A new wave of cyberattacks has emerged, targeting users of Craft Content Management System (CMS) through a recently discovered vulnerability, CVE-2025-32432. This flaw, which poses a significant risk to affected systems, is being exploited by financially motivated threat actors to deploy various malicious payloads. These include cryptocurrency miners, a loader known as Mimo Loader, and residential proxyware. This article takes a deep dive into the technicalities of the attack, its effects, and the actors behind it.
The vulnerability, CVE-2025-32432, was disclosed in April 2025 by Orange Cyberdefense SensePost after the exploit was observed in attacks dating back to February of the same year. The flaw was patched in Craft CMS versions 3.9.15, 4.14.15, and 5.6.17. However, even after the fix, threat actors have continued their campaign by taking advantage of unpatched systems. According to Sekoia’s latest findings, these attackers are using the vulnerability to gain unauthorized access to target systems and deploy a web shell. The web shell facilitates persistent remote access and enables the download of malicious scripts to compromise the system further.
the Attack Process
The attackers initially use the web shell to download a shell script titled “4l4md4r.sh” from a remote server. The script is executed via common tools such as curl, wget, or the Python library urllib2. Upon execution, the script performs checks for any prior infections or signs of cryptomining activity and terminates any running cryptomining processes. Once these steps are completed, it deploys the Mimo Loader.
The Mimo Loader is a sophisticated piece of malware that hides its presence by modifying system files like “/etc/ld.so.preload.” Its primary goal is to launch the IPRoyal proxyware and the XMRig miner. These two components enable the attacker to mine cryptocurrency using the victim’s computing resources (cryptojacking) and also hijack the victim’s internet bandwidth (proxyjacking) for further malicious activities.
This attack chain has been attributed to a hacking group known as Mimo, which has been active since early 2022. The group has a history of exploiting various vulnerabilities, including flaws in Apache Log4j, Atlassian Confluence, PaperCut, and Apache ActiveMQ, to deploy malicious payloads. Notably, Mimo is believed to be based in Turkey, with traces of its activity pointing to a Turkish IP address.
What Undercode Say:
From an analytical perspective, this attack highlights several disturbing trends in the realm of cybercrime. The Mimo intrusion set’s high level of responsiveness to newly discovered vulnerabilities showcases a growing trend of swift adaptation among threat actors. Unlike traditional malware campaigns that take months to develop after a vulnerability is disclosed, Mimo’s rapid exploitation of CVE-2025-32432 demonstrates how quickly financially motivated groups can move to take advantage of security flaws.
The use of both cryptojacking and proxyjacking techniques within a single attack shows the dual motivations of attackers in today’s digital landscape. While the XMRig miner uses the victim’s computing power for illicit cryptocurrency mining, the IPRoyal proxyware allows attackers to use the victim’s internet connection for a variety of other malicious purposes, such as hiding their identity during further attacks or routing malicious traffic through compromised networks.
Additionally, the deliberate naming choice of the Python urllib2 library as “fbi” within the malicious code is an intriguing and somewhat humorous touch. This unusual naming convention could be a deliberate attempt to evade detection or simply a signature of the hacker’s personal style. Regardless, it adds a layer of complexity to detection efforts, highlighting how threat actors constantly evolve their tactics to avoid cybersecurity defenses.
One of the most worrying aspects of this attack is the attribution to a single group, Mimo, which has a history of leveraging multiple vulnerabilities across different software platforms. The fact that they continue to exploit newly disclosed flaws shows how persistent and adaptable cybercriminal organizations have become. Despite patches being released, their attacks continue, pointing to the need for more proactive and comprehensive cybersecurity strategies to detect and mitigate such threats.
Fact Checker Results:
CVE-2025-32432 was disclosed in April 2025 and patched shortly after, but the flaw is still being exploited.
The Mimo group has been active since 2022, exploiting a range of vulnerabilities.
The use of
Prediction:
The trend of rapid exploitation of newly disclosed vulnerabilities is likely to continue, with cybercriminals becoming more agile and sophisticated. As threat actors refine their tactics, we can expect a rise in hybrid attacks combining cryptojacking, proxyjacking, and other malicious activities. CMS platforms like Craft are increasingly becoming attractive targets, and organizations must prioritize timely patching and robust security measures to defend against evolving threats. Moreover, threat hunters and cybersecurity firms will need to focus on developing better tools for early detection of such fast-moving intrusions.
References:
Reported By: thehackernews.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
