The threat actor known as Mimo (or Mimo’lette) has expanded its intrusion operations from Craft CMS to the Magento ecommerce platform, Docker environments, and cloud instances. Mimo exploits PHP-FPM vulnerabilities in Magento to gain initial access, establishes persistence using GSocket reverse shells, and employs advanced memory-based evasion techniques such as memfd_create() for in-memory payload execution. Additionally, Mimo enhances stealth with a rootkit (alamdar.so) injected via /etc/ld.so.preload, obfuscating processes and files. Mimo monetizes infections via cryptojacking with XMRig on the C3Pool Monero pool and proxyjacking by deploying the IPRoyal Pawns client (hezb.x86_64) to sell victims' bandwidth.
Beyond CMS platforms, Mimo targets misconfigured Docker APIs to deploy malicious containers that initiate infection chains. The malware demonstrates self-propagation capabilities, scanning local networks and SSH configurations to spread to related hosts, including targeting AWS EC2 instances.