Mimo Malware: How to Keep Your Craft CMS Safe from PHP-FPM Exploits

If you're running Craft CMS, you need to understand how these attacks work and implement proper defenses immediately. Our team has worked with several clients who've been impacted by these attacks, and the recovery process is far more complex than standard malware cleanup.

Understanding the Mimo Threat

Mimo represents a new generation of threat actors who've moved beyond simple website defacement to running profitable criminal operations from compromised servers. Their attacks specifically target Craft CMS installations because of the platform's popularity and the value of the servers typically hosting these sites.

The group's business model revolves around three primary revenue streams: cryptocurrency mining through XMRig, bandwidth reselling via IPRoyal proxyware, and occasionally ransomware deployment. What makes Mimo particularly dangerous is their sophisticated persistence mechanisms and ability to hide their activities from standard monitoring tools.

How the Attack Chain Works

The Mimo attack follows a carefully orchestrated sequence that begins with exploiting CVE-2025-32432, an unauthenticated Remote Code Execution vulnerability affecting multiple Craft CMS versions. The attackers craft specific GET requests to inject PHP webshells, then use POST requests exploiting deserialization flaws to activate these shells and execute arbitrary commands.

Once initial access is established, the webshell downloads and executes a remote shell script called 4l4md4r.sh. This script deploys a Go-based loader that implements advanced persistence techniques, including LD_PRELOAD hijacking to hide malicious processes from system monitoring tools.

The sophistication of this attack becomes apparent when you examine their process-hiding capabilities. The malware installs a shared object file (alamdar.so) that intercepts system calls, effectively making the malicious processes invisible to standard process monitoring tools like ps and top.

Critical Vulnerabilities You Must Patch

CVE-2025-32432 affects a wide range of Craft CMS versions and allows unauthenticated attackers to execute arbitrary code through crafted requests. The vulnerability impacts:

• Craft CMS 3.0.0-RC1 through 3.9.14
• Craft CMS 4.0.0-RC1 through 4.14.14
• Craft CMS 5.0.0-RC1 through 5.6.16

These versions have been patched in releases 3.9.15, 4.14.15, and 5.6.17 respectively. However, related vulnerabilities like CVE-2024-56145 and CVE-2024-58136 can also be chained together for similar attacks.

The CVE-2024-56145 vulnerability specifically exploits the register_argc_argv PHP setting, which when enabled, allows attackers to pass arbitrary arguments to PHP scripts. This seemingly innocuous configuration option becomes a critical security risk when combined with other vulnerabilities.

Step-by-Step Craft CMS Hardening

Update Everything Immediately

Start by updating Craft CMS to the latest patched version. This isn't optional – it's the most critical step in preventing these attacks. Update not just Craft CMS itself, but all plugins and dependencies. When working with clients, we typically schedule these updates during maintenance windows to ensure proper testing.

Download the latest version from the official Craft CMS website and follow their upgrade documentation carefully. Pay special attention to any plugin compatibility issues that might arise during the upgrade process.

Secure Your PHP Configuration

Your PHP configuration needs immediate attention, particularly the register_argc_argv setting. Add this line to your php.ini file:

register_argc_argv = Off

You should also disable dangerous PHP functions that aren't needed for Craft CMS operation:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source

Here's a bash script to automatically disable register_argc_argv across all PHP configuration files:

#!/bin/bash
php_ini_files=$(php --ini | grep ".ini" | awk -F': ' '{print $2}')
for ini_file in $php_ini_files; do
  if [ -f "$ini_file" ]; then
    if grep -q "^register_argc_argv" "$ini_file"; then
      sed -i 's/^register_argc_argv\s*=.*/register_argc_argv = Off/' "$ini_file"
      echo "Updated register_argc_argv to Off in $ini_file."
    else
      echo "register_argc_argv = Off" >> "$ini_file"
      echo "Added register_argc_argv = Off to $ini_file."
    fi
  fi
done
systemctl restart php8.2-fpm

Harden PHP-FPM Access

Configure PHP-FPM to use Unix sockets instead of TCP ports, which provides better security and performance. Update your web server configuration to use:

fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;

Set appropriate permissions on the socket file:

chmod 660 /var/run/php/php8.2-fpm.sock
chown www-data:www-data /var/run/php/php8.2-fpm.sock

Ensure your firewall blocks external access to any PHP-FPM ports that might be running. This prevents direct attacks against the PHP-FPM service.

Configure Web Server Security

Block direct access to sensitive files through your web server configuration. For Nginx, add these location blocks:

location ~ /\. {
    deny all;
}

location ~* \.(env|git|svn|log)$ {
    deny all;
}

location ~* composer\.(json|lock)$ {
    deny all;
}

Restrict PHP execution to only the public directory:

location ~* \.php$ {
    include fastcgi_params;
    fastcgi_pass unix:/var/run/php/php8.2-fpm.sock;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    if ($request_filename !~ "^/path/to/craft/web/.*\.php$") {
        return 403;
    }
}

Detection and Monitoring

Set up monitoring to detect Mimo-specific indicators. Look for POST requests to /index.php?p=actions/assets/generate-transform with suspicious payloads containing __class parameters. These requests often indicate attempts to exploit the deserialization vulnerability.

Monitor your server for files or processes with these suspicious names:

• alamdar, 4l4md4r
• hezb
• XMRig processes
• IPRoyal software

File integrity monitoring tools like OSSEC or Tripwire can alert you to unauthorized changes. Set up monitoring for the /etc/ld.so.preload file, as modifications to this file indicate LD_PRELOAD hijacking attempts.

Recovery from Compromise

If you suspect your server has been compromised, take immediate action. First, take the site offline to prevent further damage and data theft. Based on our experience with compromised sites, you'll need to perform a complete cleanup rather than attempting to selectively remove malware.

Remove all malicious files and processes, but be aware that the LD_PRELOAD hijacking makes this challenging. The safest approach is often to redeploy from a clean backup taken before the compromise occurred.

Generate new security keys for Craft CMS:

php craft setup/security-key

Force all users to reset their passwords:

php craft resave/users --set passwordResetRequired --to "fn() => true"

Rotate all environment variables, database credentials, and API keys. Check for any backdoors or webshells that might have been installed in non-obvious locations.

Common Mistakes and How to Avoid Them

Many organizations make the mistake of thinking they can manually remove Mimo malware without understanding its persistence mechanisms. The LD_PRELOAD hijacking means that standard tools won't show you the full picture of what's running on your system.

Another common error is failing to update all components of the stack. Updating Craft CMS alone isn't sufficient – you need to patch PHP, PHP-FPM, and the underlying operating system as well.

Don't assume that removing visible malware files means the system is clean. Mimo uses sophisticated hiding techniques that require specialized removal procedures.

Ongoing Security Practices

Implement a regular update schedule for all software components. Set up automated monitoring for security advisories from Craft CMS and your hosting platform. Our team recommends checking for updates weekly and applying critical security patches immediately.

Use environment variables for all sensitive configuration data. Never store credentials, API keys, or security tokens in version control or configuration files that might be accessible through web requests.

Set allowAdminChanges to false in production environments to prevent configuration changes through the Craft CMS admin panel. This reduces the attack surface and prevents certain types of exploitation.

Consider implementing a Web Application Firewall (WAF) that can detect and block common attack patterns. Services like Cloudflare or AWS WAF can provide additional protection against exploitation attempts.

The Mimo threat demonstrates why professional security management is essential for production Craft CMS installations. These attacks are becoming increasingly sophisticated, and the recovery process requires deep technical expertise to ensure complete remediation.

Need help securing your Craft CMS installation against Mimo and other emerging threats? Our team specializes in Craft CMS security hardening and can help you implement comprehensive protection measures. Reach out to discuss your specific security requirements and get expert guidance on protecting your valuable web applications.