The Sharp Taste of Mimo’lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS

This report details active in-the-wild exploitation of CVE-2025-32432 against Craft CMS leading to webshell installation and execution of an infection script that deploys a Go-based loader (4l4md4r/alamdar), XMRig cryptominer, and IPRoyal residential proxyware; it attributes activity to the Mimo/Hezb intrusion set, provides IoCs (hashes, URLs, wallet, email), and discusses detection opportunities and operator identifiers.