Ddos 
Sekoia’s latest threat intelligence report reveals a targeted exploitation campaign of CVE-2025-32432, a critical unauthenticated remote code execution (RCE) vulnerability affecting the Craft CMS platform. The threat actor behind the attacks—known as Mimo, or Hezb—is deploying a malware cocktail consisting of webshells, loaders, cryptominers, and proxyware to maximize profits from compromised systems.
Between February 28 and May 2, researchers observed Mimo exploiting this flaw in the wild, using a multi-stage infection chain to deliver a Golang-based loader dubbed “alamdar”, followed by installations of XMRig miner and IPRoyal proxyware.
The vulnerability affects Craft CMS versions:
- 3.0.0-RC1 to <3.9.15
- 4.0.0-RC1 to <4.14.15
- 5.0.0-RC1 to <5.6.17
Discovered by Orange Cyberdefense and publicly disclosed on April 25, 2025, the flaw enables unauthenticated RCE through carefully crafted HTTP requests. According to Sekoia:
“The attacker exploited CVE-2025-32432 to gain unauthorised access to the target system by deploying a webshell to facilitate remote access.”
The two-step exploit sequence uses a crafted GET request to inject a PHP-based webshell, then a POST request to trigger a deserialization bug, allowing shell command execution.
Once inside, the attacker fetches and executes a remote infection script (4l4md4r.sh). This script performs system reconnaissance, kills competing malware, and downloads three components:
- Alamdar Loader (ELF binary)
- IPRoyal Proxyware (hezb.x86_64)
- XMRig Cryptominer (alamdar)
“The script executes the downloaded binary named 4l4md4r… the loader downloads and executes the Residential Proxy binary IPRoyal… and the XMRig miner.”
The loader employs LD_PRELOAD hijacking using a malicious .so library (alamdar.so) to conceal its presence by intercepting system calls such as readdir and getpid.
Mimo’s dual monetization strategy reflects a trend among resource-savvy cybercriminals: mining cryptocurrency and selling network bandwidth via residential proxy services.
- XMRig: Mines Monero via the MoneroOcean pool.
- Wallet: 46HmQz11t8uN84P8xg…
- Weekly yield: ~$9.45 USD
- IPRoyal Pawns:
- Covertly monetizes the victim’s IP address.
- Accepts login credentials and TOS acceptance silently.
“This strategy reflects a pragmatic approach to resource monetisation, extracting value from both computational power and bandwidth.”
Through extensive OSINT and IoC analysis, Sekoia links this activity to the Mimo intrusion set—active since at least 2022. The aliases EtxArny and N1tr0 have emerged as likely operators, based on:
- TikTok videos demonstrating CVE exploits.
- Use of aliases “4l4md4r” and “Hezb” in code and social media.
- Shared cryptocurrency wallets and infrastructure.
“The TikTok account operated under the alias ‘EtxArny’ appears to incorporate this symbolic pattern… and may be affiliated with the Mimo intrusion set.”
Organizations running Craft CMS are urged to patch immediately, review logs for IOC patterns, and implement strict controls over system binaries and outbound connections.
Donate