A financially motivated threat actor has targeted a high-severity vulnerability in Craft CMS, CVE-2025-32432, to deploy various payloads, such as a cryptocurrency miner and Mimo Loader. Disclosed in April 2025, this flaw was patched in newer versions of the CMS after its exploitation was observed earlier that year. Sekoia reported that attackers exploited this security defect to gain unauthorized access and establish persistent remote access through a web shell, which enables the downloading and execution of malware, including a unique script that cunningly references the FBI to obfuscate its intent.
"The shell script, for its part, first checks for indicators or prior infection, as well as uninstalls any version of a known cryptocurrency miner."
"This naming convention could serve as a useful indicator for detection, especially in threat hunting or retroactive analysis of suspicious Python activity."
Collection
[
|
...
]