It has been observed that financially motivated threat actors take advantage of the recently disclosed flaws in remote code execution to influence Craft Content Management Systems (CMS) and deploy multiple payloads, including cryptocurrency miners, loaders known as MIMO loaders, and residential proxyware.
The vulnerability in question is CVE-2025-32432, a maximum severity flaw in the craft CMS patched in versions 3.9.15, 4.14.15, and 5.6.17. The existence of the security flaw was first disclosed in April 2025 by the orange Cyber Defense Sense Post.
According to a new report published by Sekoia, the threat behind the campaign weaponized CVE-2025-32432 to gain unauthorized access to the target system and deploy a web shell to allow for permanent remote access.
The web shell is used to download and run shell scripts (“4L4MD4R.SH”) from a remote server using Curl, Wget, or the Python library Urllib2.
“In regards to using Python, attackers import the urllib2 library under the alias FBI. This unusual naming choice may be a deliberate reference, perhaps a tongue nod to the US federal agency.
“This naming convention may serve as a useful indicator of detection, particularly in retrospect analysis of threat hunting or suspicious Python activities.”
The shell script first checks for that part for indicators or previous infections and uninstalls any version of known cryptocurrency miners. It also delivers the payload for the next stage and terminates all active XMRIG processes and other conflicting encryption tools before launching an ELF binary named “4L4MD4R”.
An executable file known as Mimo Loader modifies the file “/etc/ld.so.preload” read by the dynamic linker to hide the existence of malware processes (“alamdar.so”). The ultimate goal of the loader is to deploy iProyal Proxyware and Xmrig Miner on compromised hosts.
This allows threat actors to not only abuse system resources for illegal cryptocurrency mining, but also monetize victims’ internet bandwidth for other malicious activities.
Threat activity is attributed to an intrusion set called MIMO (also known as MIMO). This is believed to be dependent on a vulnerability in Apache log4J (CVE-2021-44228) before March 2022. (CVE-2023-46604) Minors will be deployed.
The Hacking Group observed staging of ransomware attacks in 2023 using a GO-based stock known as Mimus, a fork of the open source Mauricrypt project. According to a report published by AHNLAB in January 2024, in 2023.
Sekoia said the exploitation efforts stem from the Turkish IP address (“85.106.113(.)168”) and revealed open source evidence that Mimo is a threat actor physically located in the country.
“The MIMO intrusion set, first identified in early 2022, is characterized by the consistent exploitation of vulnerabilities aimed at deploying cryptographic encryption,” says the French cybersecurity company. “Continued research confirms that MIMO remains active and operational, and continues to exploit the newly disclosed vulnerabilities.”
“The short time frame observed between the publication of CVE-2025-32432, the release of the corresponding proof of concept (POC) and subsequent adoption by the intrusion set reflects a high level of responsiveness and technical agility.”
