The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS

SUMMARY :

Between February and May, multiple exploitations of CVE-2025-32432, a Remote Code Execution vulnerability in Craft CMS, were observed. The attack chain involves deploying a webshell, downloading an infection script, and executing malicious payloads including a loader, crypto miner, and residential proxyware. The Mimo intrusion set is believed responsible, using distinctive identifiers like '4l4md4r' and 'n1tr0'. The group deploys XMRig for cryptomining and IPRoyal for bandwidth monetization. Two potential operators, 'EtxArny' and 'N1tr0', were identified through social media analysis. While showing interest in Middle Eastern affairs, the group's primary motivation appears financial. Detection opportunities include monitoring for unusual processes in temporary directories and kernel module alterations.

OPENCTI LABELS :

cryptomining,xmrig,webshell,iproyal,residential proxy,minus ransomware,cve-2025-32432,craft cms


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


The Sharp Taste of Mimo'lette: Analyzing Mimo's Latest Campaign targeting Craft CMS