Pierre Le Bourhis
@plebourhis.bsky.social
Reposted by Pierre Le Bourhis
Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
The operators appear to be based in the Middle East
blog.sekoia.io/the-sharp-ta...
The operators appear to be based in the Middle East
blog.sekoia.io/the-sharp-ta...
The Sharp Taste of Mimo'lette: Analyzing Mimo’s Latest Campaign targeting Craft CMS
Analysis of the CVE-2025-32432 compromise chain by Mimo: exploitation, loader, crypto miner, proxyware, and detection opportunities.
blog.sekoia.io
May 27, 2025 at 4:32 PM
Sekoia has identified Mimo, a threat actor that exploits a recently patched Craft CMS zero-day to deploy its own loader, cryptominers, and residential proxyware on hacked websites
The operators appear to be based in the Middle East
blog.sekoia.io/the-sharp-ta...
The operators appear to be based in the Middle East
blog.sekoia.io/the-sharp-ta...
Reposted by Pierre Le Bourhis
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
March 6, 2025 at 10:50 AM
#ClearFake variant is now spreading #Rhadamanthys Stealer via #Emmenhtal Loader.
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
cc @plebourhis.bsky.social @sekoia.io
1. ClearFake framework is injected on compromised WordPress and relies on EtherHiding
2. The #ClickFix lure uses a fake Cloudflare Turnstile with unusual web traffic
⬇️
Reposted by Pierre Le Bourhis
This #macOS backdoor uses /usr/bin/SetFile to hide itself in the Finder. SetFile was deprecated in Xcode 6 (that's 2014 to humans)...not sure why it makes sense to declare smth 'deprecated' then leave it in the OS for 10+ years. 🤷♂️ #apple #malware
SHA1: 609088c54b99432aab212f35cfe74030b52f0320
SHA1: 609088c54b99432aab212f35cfe74030b52f0320
January 20, 2025 at 3:53 PM
Reposted by Pierre Le Bourhis
