The threat actor known as Mimo, also referred to as Hezb, has expanded its targeting scope from Craft CMS to now include Magento content management systems and unsecured Docker environments. While Mimo remains financially motivated through cryptomining and bandwidth resale, recent activity points to a higher level of operational sophistication and the potential for more advanced criminal operations.
Earlier, Mimo exploited a critical Craft CMS flaw tracked as CVE-2025-32432 to carry out cryptojacking and proxyware installation, according to reports from Sekoia. The group now abuses vulnerabilities in PHP FPM within Magento plugins to gain initial access. Once inside, Mimo deploys GSocket, a legitimate pentesting tool used to maintain unauthorized access through reverse shell communication. To avoid system-level detection, the binary disguises itself as a normal process.
The attackers execute payloads directly in memory using the memfd_create function, avoiding file system traces. This allows them to load a custom ELF binary loader named “4l4md4r”. This loader installs XMRig for mining and IPRoyal proxyware, but only after modifying the “/etc/ld.so.preload” file to inject a rootkit that conceals its presence.
By combining CPU resource hijacking with passive bandwidth monetization, Mimo ensures both profitability and stealth. Even if the miner is discovered and removed, the proxyware often remains operational, as it uses minimal system resources and avoids suspicion.
Datadog researchers also observed Mimo compromising publicly exposed Docker setups. These environments are used to run containers that download and execute additional malicious payloads. Built using the Go language, these implants offer persistence, in-memory execution, file manipulation, process termination, and spread laterally via brute force attacks over SSH. They also serve as delivery mechanisms for GSocket and IPRoyal, showing Mimo’s growing reach beyond traditional CMS exploitation.
