Between February and May 2025, the Mimo threat actor group has been observed exploiting CVE-2024-46483, a Remote Code Execution vulnerability in Craft CMS, a popular content management system. The exploitation allows attackers to deploy webshells on vulnerable servers, enabling remote control and execution of arbitrary commands. The attack chain begins with the deployment of a webshell, followed by downloading an infection script that installs multiple malicious payloads. These payloads include a loader component, the XMRig cryptominer for unauthorized cryptocurrency mining, and residential proxyware from IPRoyal, which monetizes bandwidth by routing traffic through compromised systems. The group uses distinctive identifiers such as '4l4md4r' and 'n1tr0' within their tools and infrastructure, aiding attribution. Social media analysis has identified two potential operators, 'EtxArny' and 'N1tr0', who appear financially motivated, although they have shown some interest in Middle Eastern affairs. The campaign leverages various tactics including kernel module manipulation and execution of obfuscated code, complicating detection. Detection opportunities include monitoring for anomalous processes running from temporary directories and unexpected kernel module alterations. Despite the lack of a CVSS score, the threat is significant due to the ease of exploitation, the potential for persistent control, and the financial impact of cryptomining and proxyware deployment. No known public exploits have been reported yet, but active exploitation is confirmed. The campaign highlights the importance of securing Craft CMS installations and monitoring for post-exploitation activities.

This threat can have widespread impact on organizations using Craft CMS, particularly those with internet-facing web servers. Successful exploitation results in unauthorized remote code execution, leading to full system compromise. Attackers can deploy cryptominers, which degrade system performance and increase operational costs through higher power consumption. The use of residential proxyware can implicate compromised systems in illicit activities, potentially damaging organizational reputation and exposing them to legal risks. Persistent webshells enable ongoing unauthorized access, increasing the risk of data theft, further malware deployment, or lateral movement within networks. The financial motivation behind the campaign suggests a high likelihood of continued exploitation, potentially affecting a broad range of sectors including media, e-commerce, and government websites that rely on Craft CMS. The manipulation of kernel modules and obfuscated payloads complicates detection and remediation, increasing the risk of prolonged compromise. Overall, the threat undermines confidentiality, integrity, and availability of affected systems, with medium severity given the current scope and exploitation complexity.

Organizations should immediately verify if their Craft CMS installations are vulnerable to CVE-2024-46483 and apply any available patches or updates from the vendor. In the absence of patches, implement virtual patching via web application firewalls (WAF) to block exploitation attempts targeting the RCE vulnerability. Conduct thorough endpoint and server monitoring focusing on unusual process execution, especially processes running from temporary directories, and monitor for unexpected kernel module loads or changes. Deploy network monitoring to detect outbound connections consistent with cryptomining pools or proxyware traffic, such as connections to known XMRig or IPRoyal infrastructure. Implement strict access controls and multi-factor authentication for CMS administrative interfaces to reduce the risk of initial compromise. Regularly audit web server file systems for unauthorized webshells or suspicious scripts. Employ threat hunting techniques using the unique identifiers '4l4md4r' and 'n1tr0' to detect related artifacts. Educate security teams on the TTPs used by Mimo, including obfuscation and kernel module manipulation, to improve incident response readiness. Finally, isolate and remediate infected systems promptly to prevent lateral movement and further damage.