On May 27, 2025, cybersecurity researchers disclosed a widespread campaign exploiting a critical remote code execution vulnerability in Craft CMS, enabling threat actors to deploy cryptocurrency miners and proxyware across vulnerable web servers. The attack, attributed to the Mimo intrusion set, exposes how web infrastructure vulnerabilities can be weaponized for crypto-specific crime — and what the broader blockchain community should learn from it.
The Threat Landscape
The vulnerability, tracked as CVE-2025-32432, carries the maximum CVSS score of 10 due to its unauthenticated nature. Affecting Craft CMS versions from 3.0.0-RC1 through 5.6.17, the flaw was discovered by Orange Cyberdefense in mid-February 2025 and publicly disclosed on April 25. However, evidence shows the vulnerability was being actively exploited even before disclosure, with multiple incidents recorded on honeypots between February 28 and May 2.
For the cryptocurrency ecosystem, this attack is particularly relevant because it demonstrates how non-crypto-specific infrastructure vulnerabilities can be leveraged for crypto-mining operations. The attackers deployed XMRig, a well-known Monero mining tool, turning compromised servers into passive income generators for the threat group.
Core Principles
The attack followed a systematic infection chain. The Mimo group exploited CVE-2025-32432 to deploy a webshell, enabling remote access through specially crafted GET and POST requests that manipulated server-side session files. Once access was established, a script called “4l4md4r.sh” was downloaded and executed, which prepared the environment by clearing defensive configurations and terminating competing processes before downloading the main malicious payload.
The core payload included a Go-based loader packed using UPX that performed three key functions: escalating privileges on the compromised system, deploying the XMRig cryptominer configured to mine Monero via the MoneroOcean pool, and installing IPRoyal proxyware to monetize the victim’s bandwidth. The loader also employed the LD_PRELOAD technique with a malicious library called “alamdar.so” to hide its processes from system monitoring tools.
Tooling and Setup
The cryptocurrency mining operation, while technically sophisticated in its deployment, yielded relatively modest returns. Analysis of the associated Monero wallet revealed a hashrate of 53.44 KH/s, generating approximately $9.45 USD weekly — a sharp decline from the 540 KH/s the group reportedly achieved in 2022. This suggests many previously compromised systems may have been remediated over time.
However, the Mimo group’s operations extend beyond mining. Evidence links the threat actors to ransomware deployment — specifically the Minus Ransomware — with a Bitcoin wallet amassing over $35,000 in payments since 2022. These funds have been laundered through multiple addresses, demonstrating a multi-stream revenue model that combines cryptomining, proxyware monetization, and ransomware.
Ongoing Vigilance
For cryptocurrency businesses and Web3 projects, the Craft CMS campaign offers several important lessons. First, any web-facing infrastructure — even content management systems that appear unrelated to crypto operations — can become an attack vector for cryptocurrency-focused crime. Second, the use of LD_PRELOAD rootkit techniques means that standard monitoring tools may not detect illicit mining operations on compromised servers.
Organizations should implement dedicated cryptocurrency mining detection tools that can identify unusual CPU and GPU usage patterns, monitor network connections to known mining pools like MoneroOcean, and deploy kernel-level monitoring that can detect LD_PRELOAD hijacking attempts.
Final Takeaway
The convergence of traditional web exploitation and cryptocurrency crime continues to accelerate. The Mimo group’s campaign against Craft CMS demonstrates that threat actors are diversifying their revenue streams across mining, proxyware, and ransomware — all facilitated by cryptocurrency. As Bitcoin trades near $108,994 and Ethereum at $2,663, the financial incentives for such attacks only grow stronger. Infrastructure security is no longer just a web operations concern — it is a fundamental component of the cryptocurrency security landscape.
Disclaimer: This article is for informational purposes only and does not constitute financial advice. Always conduct your own research before making investment decisions.
ASIC efficiency improvements are making older rigs obsolete fast
sats_only_ ASIC efficiency improvements making older rigs obsolete is the planned obsolescence of mining. you either upgrade or you lose money
Immersion cooling is the future of efficient mining operations
Mining difficulty adjustments are the most elegant economic mechanism
CMS plugins as attack vectors is underrated. every WordPress or Craft install with 20 plugins is a ticking time bomb for cryptominer injection
plugin_audit every Craft install ive audited has at least 2-3 abandoned plugins. XMRig deployment takes one vulnerable plugin and youve got a cryptominer eating your CPU
20 plugins and half of them havent been updated in 2 years. every CMS audit ive done has at least one abandoned plugin
James Wilson immersion cooling is cool but the Craft CMS attack shows software supply chains are the real threat vector for mining operations
CVSS 10.0 and being exploited before disclosure. the window between discovery and patch is where all the damage happens
Marta Szymanska the exploit window was Feb 28 to May 2 on honeypots. almost 3 months of active exploitation before Orange Cyberdefense even disclosed. thats terrifying