Mimo, also known as Hezb, is a financially motivated intrusion set active since 2022 that has been observed exploiting N-day and, in at least one case, a recently disclosed vulnerability in internet-facing applications to deploy malware. Reported activity includes exploitation of CVE-2025-32432, a critical unauthenticated RCE in Craft CMS, between February and May 2025. In that campaign, Mimo used a multi-stage infection chain beginning with a crafted GET request to inject a PHP webshell, followed by a POST request exploiting a deserialization flaw to activate the webshell and execute commands. The webshell downloaded a shell script named 4l4md4r.sh, which deployed a Go-based loader that fetched and executed XMRig cryptominer and installed IPRoyal residential proxyware. The group also used LD_PRELOAD hijacking via a malicious shared object named alamdar.so to hide malware processes and files, and process-killing routines to remove competing miners. Reporting also states Mimo has built out a broader set of CMS vulnerabilities and targets to deploy malware, has been linked to cryptojacking activity, and has been observed exploiting Microsoft SharePoint flaws to deliver the Go-based 4L4MD4r ransomware. Recent reporting further states the group has diversified into Minus Ransomware. Known aliases include Hezb. Recurring identifiers associated with the actor include 4l4md4r and alamdar.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
3 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Observed exploiting CVE-2025-32432 to deploy a cryptocurrency miner and residential proxyware.
Cryptomining/proxyware-focused actor exploiting N-day flaws in web apps (Craft CMS historically; shifting to Magento) and misconfigured Docker to deploy miners and maintain access.
Referenced as a prior cryptojacking campaign associated with similar Linux in-memory execution tradecraft to avoid leaving artifacts on disk.
Observed expanding exploitation of CMS vulnerabilities and targeting to deploy their malware (noted in a Q2 2025 threat roundup).
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.