The article analyzes the Mimo intrusion set exploiting CVE-2025-32432 in the Craft CMS to deploy a loader, crypto miner, and residential proxyware. It also identifies key attacker infrastructure, malware components, and possible operator attribution linked to TikTok profiles. #Mimo #CVE202532432 #XMRig #IPRoyal #MinusRansomware
Keypoints
- The CVE-2025-32432 Remote Code Execution vulnerability affecting Craft CMS was actively exploited from mid-February 2025 before public disclosure.
- Attackers deploy a webshell via crafted GET and POST requests to achieve remote code execution and subsequently run an infection script.
- The infection installs a loader called 4l4md4r, which deploys XMRig crypto miner and IPRoyal residential proxy malware while hiding processes using a malicious shared library (alamdar.so) loaded via /etc/ld.so.preload.
- Mimo intrusion set, active since 2022, is linked to these attacks and has also deployed Minus Ransomware as part of its campaign shifts.
- The Monero wallet used for cryptomining has generated modest revenue, indicating partial cleanup or reduced activity in recent times.
- Operator attribution points to two TikTok profiles (@etxarny and @n1tr0_s) possibly located in Turkey, showing ideological links but primarily financial motivation.
- Detection opportunities include monitoring suspicious process execution in temporary directories and kernel module alteration via Sigma rules within Sekoia Defend.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The attacker executes remote commands through the webshell using PHP code in URL parameters (“remotely executed system commands supplied via the cmd URL parameter”).
- [T1105] Ingress Tool Transfer – The infection script downloads remote payloads such as “4l4md4r.sh” using curl, wget, or python, facilitating further compromise.
- [T1543] Create or Modify System Process – The loader modifies /etc/ld.so.preload to hijack the dynamic linker, enabling stealth of malware processes (“adds the path to this library in /etc/ld.so.preload”).
- [T1496] Resource Hijacking – The cryptominer XMRig mines Monero cryptocurrency using victim resources (“miner configured to mine via the public mining pool MoneroOcean”).
- [T1091] Replication Through Removable Media (implied) – Use of residential proxy malware IPRoyal to monetize network bandwidth suggests lateral movement or network exploitation (“registers the infected device on the IPRoyal network”).
- [T1071] Application Layer Protocol – POST requests to CMS endpoints with crafted payloads exploit the vulnerability (“POST request to index.php?p=actions/assets/generate-transform with injected data”).
Indicators of Compromise
- [File Hashes] Malicious payloads and scripts – 1aa4d88a38f5a27a60cfc6d6995f065da074ee340789ed00ddc29abc29ea671e (iproyal), a71680ffb4264e07da4aaca16a3f8831b9a30d444215268e82b2125a98b94aa (xmrig), and others including alamdar.so and go loader.
- [URLs] C&C and payload hosting – hxxp://15.188.246[.]198/alamdar.so, hxxp://15.188.246[.]198/4l4md4r.sh, hxxp://15.188.246[.]198/hezb.x86_64.
- [Cryptocurrency Wallet] Monero wallet linked to mining – 46HmQz11t8uN84P8xgThrQXSYm434VC7hhNR8be4QrGtM1Wa4cDH2GkJ2NNXZ6Dr4bYg6phNjHKYJ1QfpZRBFYW5V6qnRJN.
- [Email] Attacker account for IPRoyal – 4l4md4r[@]proton.me.
- [IP Address] Source of exploitation attempts – 85.106.113[.]168 (Turkey, likely attacker’s personal IP).