Hackers Exploit Craft CMS Vulnerability to Inject Cryptocurrency Miner Malware

Threat actors have exploited a critical Remote Code Execution (RCE) vulnerability, identified as CVE-2025-32432, in the Craft Content Management System (CMS).

Discovered by Orange Cyberdefense in mid-February 2025 and publicly disclosed on April 25, 2025, this flaw carries a maximum CVSS score of 10 due to its unauthenticated nature.

Affecting Craft CMS versions from 3.0.0-RC1 to 5.6.17, the vulnerability has been under active exploitation since before its disclosure, with multiple incidents recorded on honeypots between February 28 and May 2, 2025.

This exploitation has facilitated the deployment of malicious payloads, including cryptocurrency miners and proxyware, posing significant risks to unpatched systems.

Critical RCE Flaw

The attackers, likely associated with the Mimo Intrusion Set (also known as Hezb), initiate their campaign by exploiting CVE-2025-32432 to deploy a webshell, enabling remote access through specially crafted GET and POST requests.

These requests manipulate server-side session files to execute arbitrary commands, as observed in honeypot data.

Once access is gained, a script named “4l4md4r.sh” is downloaded and executed, preparing the environment by clearing defensive configurations, terminating competing processes, and downloading malicious binaries like the “4l4md4r” loader.

This Go-based loader, packed using UPX, escalates privileges, deploys the XMRig cryptominer for Monero mining via the MoneroOcean pool, and installs IPRoyal proxyware to monetize victims’ bandwidth.

Detailed Infection Chain

Additionally, the loader uses the LD_PRELOAD technique with a malicious library, “alamdar.so,” to hide its processes from detection.

Sekoia analysis of the associated Monero wallet reveals a modest hashrate of 53.44 KH/s, yielding approximately $9.45 USD weekly, a sharp decline from a reported 540 KH/s in 2022, suggesting many compromised systems may have been remediated.

Meanwhile, evidence links Mimo to ransomware deployment, specifically the Minus Ransomware, with a Bitcoin wallet amassing over $35,000 USD in payments since 2022, though funds have been laundered through multiple addresses.

Artifacts and social media activity point to operators behind Mimo, with identifiers like “EtxArny” and “N1tr0” tied to TikTok accounts showcasing exploit proof-of-concepts and ideological content related to Middle Eastern affairs.

IP addresses used in attacks, such as one geolocated to Balıkesir, Turkey, further suggest the physical location of at least one operator.

Detection opportunities exist through monitoring unusual process execution in temporary directories and dynamic linker hijacking, as flagged by Sekoia Defend Sigma rules.

This campaign underscores Mimo’s agility in exploiting new vulnerabilities and diversifying revenue streams through cryptomining, proxy services, and ransomware, highlighting the urgent need for organizations to patch vulnerable Craft CMS instances and enhance threat detection capabilities to counter such evolving threats.

Indicators of Compromise (IoCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!