Threat Actor Mimo Exploits Magento and Docker to Deploy Cryptocurrency Miners and Proxyware
July 23, 2025 — By Ravie Lakshmanan
Cybersecurity researchers have uncovered a dangerous campaign orchestrated by the threat actor known as Mimo (also referred to as Hezb), who has recently shifted focus from exploiting Craft Content Management System (CMS) vulnerabilities to targeting Magento e-commerce platforms and misconfigured Docker instances. The objective behind these attacks is the deployment of cryptocurrency miners and proxyware, allowing the attackers to illicitly monetize compromised systems.
Background on Mimo’s Activities
Mimo has a notable history of exploiting newly discovered and unpatched (“N-day”) vulnerabilities across various web applications to install cryptocurrency mining malware. Earlier this year, security firm Sekoia documented Mimo’s exploitation of CVE-2025-32432—a critical vulnerability in Craft CMS—to perform cryptojacking and proxyjacking activities. This long-standing emphasis on financial gain highlights Mimo’s interest in covertly leveraging victim systems’ resources for profit.
New Attack Vectors and Techniques
Recent investigations by Datadog Security Labs reveal that Mimo has diversified its attack strategies to include attacks against Magento CMS through unknown PHP-FPM vulnerabilities. After gaining initial access via these flaws—particularly through a Magento plugin vulnerable to command injection—the attackers deploy GSocket, an open-source penetration testing tool. GSocket is used maliciously to establish persistent access to infected hosts through reverse shells.
Notably, the attackers disguise the GSocket binary to appear as a legitimate or kernel-managed thread, enabling it to evade casual detection by system administrators or security tools.
Additionally, Mimo’s operators leverage advanced methods such as in-memory payload execution using the Linux memfd_create() system call. This technique allows them to launch an ELF binary loader known as 4l4md4r without writing files to disk, thereby reducing forensic traces. The loader subsequently installs IPRoyal proxyware alongside the XMRig cryptocurrency miner. Crucially, malware modifies the “/etc/ld.so.preload” file to inject a rootkit that conceals the presence of these components.
Two-Pronged Monetization Approach
The simultaneous deployment of both cryptocurrency miners and proxyware reflects Mimo’s dual strategy to maximize illicit revenue:
- Cryptocurrency Mining: Hijacking the CPU power of victim machines to generate digital currency.
- Proxyware Deployment: Exploiting unused internet bandwidth by turning compromised devices into residential proxies that can be rented out covertly.
The proxyware component typically consumes minimal CPU resources, making it difficult to detect, even if the more resource-intensive mining is noticed and removed. As a result, this layered monetization ensures persistent income streams for Mimo despite partial remediation efforts by victims.
Docker Instance Exploitation
Datadog also observed Mimo abusing publicly accessible, misconfigured Docker instances. The threat actor spawns new malicious containers where further payloads are downloaded and executed. The malware, written in Go, exhibits modularity, supports file system operations, process termination, in-memory execution, and persistence mechanisms. Moreover, it acts as a dropper for GSocket and IPRoyal payloads and attempts to spread laterally through SSH brute-force attacks.
This expansion beyond CMS platforms to Docker environments underscores Mimo’s willingness to compromise diverse infrastructure components to achieve its ends.
Security Recommendations
Organizations using Magento CMS or deploying Docker should:
- Immediately apply security patches and updates to CMS plugins and Docker configurations.
- Audit and secure public-facing Docker instances to prevent unauthorized access.
- Monitor systems for unusual process activities, particularly those masquerading as legitimate kernel threads.
- Employ memory protection and integrity checks to detect in-memory payload executions.
- Use network monitoring to identify proxyware-related traffic patterns.
By implementing robust security hygiene and regular vulnerability assessments, enterprise defenders can mitigate the risks posed by sophisticated actors like Mimo.
Conclusion
Mimo’s evolving tactics emphasize the increasing complexity and stealth of cybercriminal operations focused on cryptocurrency mining and bandwidth exploitation. Their exploitation of Magento vulnerabilities and misconfigured Docker environments represents a significant threat to online businesses and cloud infrastructure. Continued vigilance and prompt remediation are critical to guarding against these financially motivated cyberattacks.
For ongoing updates on cybersecurity threats and insights, follow The Hacker News on Google News, Twitter, and LinkedIn.