A threat actor known as Mimo (also referred to as Hezb) has expanded its cyberattack operations, moving beyond vulnerable Craft CMS instances to now exploit Magento e-commerce platforms and misconfigured Docker environments, according to a new report from Datadog Security Labs.
Previously known for leveraging existing vulnerabilities in web applications to deploy cryptocurrency miners, Mimo has now shifted tactics to also include proxyjacking—a method of monetizing compromised systems’ bandwidth. Researchers noted a significant evolution in the threat actor’s techniques, suggesting they may be preparing for more complex and potentially more profitable attacks. “Although Mimo’s primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities,” the report stated.
Mimo was earlier linked to the exploitation of CVE-2025-32432, a critical flaw in Craft CMS, as detailed by Sekoia in May 2025. However, the latest wave of attacks involves PHP-FPM command injection vulnerabilities in Magento CMS plugins. This method is used to gain initial access and deploy GSocket, an open-source tool that provides persistent reverse shell access. “The initial access vector is PHP-FPM command injection via a Magento CMS plugin, indicating that Mimo possesses multiple exploit capabilities beyond previously observed adversarial tradecraft,” said researchers Ryan Simon, Greg Foss, and Matt Muir.
To avoid detection, the GSocket binary is disguised to resemble legitimate system processes. Mimo also uses in-memory payloads via memfd_create() to run a custom ELF binary loader, dubbed “4l4md4r”, which stealthily installs the IPRoyal proxyware and XMRig cryptocurrency miner. Before deployment, the attackers tamper with the /etc/ld.so.preload file to insert a rootkit, effectively hiding their tools.
This dual deployment strategy enables Mimo to profit from both CPU-intensive cryptomining and low-resource proxyware usage. “This multi-layered monetization also enhances resilience: even if the crypto miner is detected and removed, the proxy component may remain unnoticed, ensuring continued revenue for the threat actor,” the researchers explained.
Datadog also observed Mimo exploiting exposed Docker instances, spinning up containers to run malicious commands that download and execute additional payloads. The malware, written in Go, is modular and capable of maintaining persistence, performing file operations, dropping other tools, and spreading laterally through SSH brute-force attacks.
“This demonstrates the threat actor’s willingness to compromise a diverse range of services – not just CMS providers – to achieve their objectives,” Datadog concluded.
 has expanded its cyberattack operations, moving beyond vulnerable Craft CMS insta....){kind=link}