Between February and May 2025, the intrusion set known as Mimo exploited CVE-2025-32432, a critical unauthenticated RCE in Craft CMS, to deploy a multi-stage infection chain observed via honeypots. The attack began by injecting a PHP webshell through a crafted GET request, followed by a POST request exploiting a deserialization flaw to activate the webshell and run arbitrary commands. The webshell downloaded a remote shell script (4l4md4r.sh), which deployed a Go-based loader. This loader fetched and executed two payloads: XMRig for cryptomining and IPRoyal, a residential proxyware that monetizes the victim's bandwidth.
To evade detection, Mimo used LD_PRELOAD hijacking via a malicious shared object (alamdar.so) to conceal malware processes and files. They also implemented process-killing routines to remove competing cryptominers. The group, active since 2022, has recently diversified operations to include Minus Ransomware, further enhancing monetization. Multiple identifiers, including the recurring use of names like 4l4md4r, alamdar, and social media links (e.g., TikTok user @EtxArny) helped attribute this campaign to Mimo. Indicators suggest the operator may reside in Turkey and holds ideological as well as financial motivations. However, the overarching driver appears to be financial gain through system exploitation.