The threat actor behind the exploitation of vulnerable Craft Content Management System (CMS) instances has shifted its tactics to target Magento CMS and misconfigured Docker instances.
The activity has been attributed to a threat actor tracked as Mimo (aka Hezb), which has a long history of leveraging N-day security flaws in various web applications to deploy cryptocurrency miners.
“Although Mimo’s primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities,” Datadog Security Labs said in a report published this week.
Mimo’s exploitation of CVE-2025-32432, a critical security flaw in Craft CMS, for cryptojacking and proxyjacking was documented by Sekoia in May 2025.
Newly observed attack chains associated with the threat actor involve the abuse of undetermined PHP-FPM vulnerabilities in Magento e-commerce installations to obtain initial access, and then using it to drop GSocket, a legitimate open-source penetration testing tool, to establish persistent access to the host by means of a reverse shell.
“The initial access vector is PHP-FPM command injection via a Magento CMS plugin, indicating that Mimo possesses multiple exploit capabilities beyond previously observed adversarial tradecraft,” researchers Ryan Simon, Greg Foss, and Matt Muir said.
In an attempt to sidestep detection, the GSocket binary masquerades as a legitimate or kernel-managed thread so that it blends in with other processes that may be running on the system.
Another notable technique employed by the attackers is the use of in-memory payloads using memfd_create() so as to launch an ELF binary loader called “4l4md4r” without leaving any trace on disk. The loader is then responsible for deploying the IPRoyal proxyware and the XMRig miner on the compromised machine but not before modifying the “/etc/ld.so.preload” file to inject a rootkit to conceal the presence of these artifacts.
The distribution of a miner and proxyware underscores a two-pronged approach adopted by Mimo to maximize financial gain. The distinct revenue generation streams ensure that compromised machines’ CPU resources are hijacked to mine cryptocurrency, while the victims’ unused internet bandwidth is monetized for illicit residential proxy services.
“Furthermore, the use of proxyware, which typically consumes minimal CPU, enables stealthy operation that prevents detection of the additional monetization even if the crypto miner’s resource usage is throttled,” the researchers said. “This multi-layered monetization also enhances resilience: even if the crypto miner is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor.”
Datadog said it also observed the threat actors abusing misconfigured Docker instances that are publicly accessible to spawn a new container, within which a malicious command is executed to fetch an additional payload from an external server and execute it.
Written in Go, the modular malware comes fitted with capabilities to achieve persistence, conduct file system I/O operations, terminate processes, perform in-memory execution. It also serves as a dropper for GSocket and IPRoyal, and attempts to propagate to other systems via SSH brute-force attacks.
“This demonstrates the threat actor’s willingness to compromise a diverse range of services – not just CMS providers – to achieve their objectives,” Datadog said.
