- A threat group known as Mimo is targeting e-commerce systems and cloud services to install cryptocurrency miners and proxyware.
- The group recently shifted its attacks from Craft CMS to exploiting Magento CMS and unsecured Docker instances.
- Mimo uses advanced tactics, such as command injection vulnerabilities and memory-only Malware loaders, to avoid detection.
- Their methods enable two types of illegal revenue: mining cryptocurrency and selling access to compromised internet connections.
- The attacks show a wider strategy, with attempts to spread to other systems and use multiple ways to remain hidden and profitable.
Security researchers reported that the group known as Mimo has started exploiting Magento CMS and misconfigured Docker systems in 2025. Previously, this group targeted vulnerable instances of Craft CMS. The group’s main motive is financial gain through cryptojacking and proxyware deployment, according to a recent report by Datadog Security Labs.
Researchers found that Mimo exploits certain security flaws in Magento, especially weaknesses in the PHP-FPM system used by the content management platform. After gaining access, the attackers use a tool called GSocket to control the server through a reverse shell. By disguising GSocket as a normal system process, they aim to avoid detection by security tools.
The group also uses an in-memory method to load another tool, 4l4md4r, without leaving files on disk. This loader deploys both the XMRig cryptocurrency miner and IPRoyal proxyware on infected systems. Before doing so, the attackers modify a sensitive system configuration file to help hide their presence. The proxyware lets criminals profit by quietly selling victims’ unused internet bandwidth to outside buyers, while the XMRig miner takes over the computer’s processing power to generate cryptocurrency.
According to Datadog, “This multi-layered monetization also enhances resilience: even if the crypto miner is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor.” Mimo also attacks misconfigured Docker installations exposed to the internet. By running new containers, the group loads additional malware that can spread to other machines through SSH brute-force attacks. The malware, written in Go, can persist on systems, perform file operations, and shut down competing processes.
The recent string of attacks highlights Mimo’s ability to adapt quickly and use multiple attack methods, not just on content management systems but also widely used cloud and server technologies. Security experts believe this signals a broader trend where cybercriminals seek to maximize profits by using combined attack strategies on various digital platforms.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Alphabet Beats Q2 Estimates, Raises AI Capex Forecast to $85B
- WisdomTree Reveals USDW Stablecoin Plans, Expands Crypto Offerings
- Dignitas Unveils ‘Digi’ AI Agent for Esports, Powered by Theta Network
- Bitcoin Treasury Firms Sink: Median Stock Down 52% From 2025 Highs
- Draper: Bitcoin’s Tech Pulls Crypto Innovation, Fiat Faces Extinction
