Who Is Mimo and What’s the Motive?
Mimo, also known as Hezb, is a financially motivated threat actor long associated with cryptocurrency mining and proxyware abuse. While previously focused on exploiting Craft CMS, Mimo has now shifted attention to Magento CMS and misconfigured Docker instances.
Security researchers at Datadog have reported that Mimo’s new tactics suggest more than just casual cryptojacking. In fact, the sophistication of recent campaigns hints at preparations for larger-scale or more lucrative attacks.
How the Magento Attacks Work
Mimo’s latest activity involves exploiting PHP-FPM vulnerabilities in Magento plugins to gain initial access. These flaws enable remote command injection, allowing the attacker to drop GSocket, a reverse shell tool often used in penetration testing.
After establishing persistent access, Mimo disguises the GSocket binary as a kernel-level thread to avoid raising alarms. This stealthy behavior allows them to maintain long-term control of the compromised system.
Memory-Based Payloads and Rootkit Injection
In addition to GSocket, the attackers employ in-memory payload execution. They use the memfd_create() system call to run an ELF binary loader named 4l4md4r—a technique that avoids writing files to disk.
The loader’s job is to install two key monetization tools:
- IPRoyal Proxyware – to hijack bandwidth
- XMRig Miner – to hijack CPU for cryptocurrency mining
Before this happens, Mimo modifies the Linux /etc/ld.so.preload file to insert a rootkit, which helps hide both the miner and the proxyware from system monitoring tools.
Why Both Crypto Mining and Proxyware?
Mimo’s approach involves dual monetization:
- XMRig drains the victim’s CPU power for mining cryptocurrency
- IPRoyal proxyware hijacks the victim’s internet bandwidth and sells it through residential proxy networks
Even if the crypto miner is discovered and removed, the proxyware remains hidden, continuing to generate income with minimal system impact. This strategy increases the attacker’s profitability and resilience.
Docker Attacks: Expanding the Attack Surface
Datadog also observed Mimo abusing unsecured Docker instances that are exposed online. The attackers launch malicious containers that download and run payloads from remote servers.
The downloaded malware, written in Go, is modular and powerful. It enables the attacker to:
- Achieve persistence
- Perform in-memory execution
- Copy, delete, or modify files
- Kill running processes
- Attempt to spread via SSH brute-force attacks
It also acts as a dropper for both GSocket and IPRoyal, effectively replicating the attack chain seen in the Magento exploit—but inside Docker.
What This Means for Cyber Defenders
This shift in tactics highlights Mimo’s expanding capabilities. They’re no longer focused on just one platform. By targeting e-commerce systems like Magento and DevOps environments like Docker, Mimo shows a growing willingness to diversify attack surfaces to increase profits.
The attacker’s use of rootkits, memory-only loaders, and stealth persistence makes detection especially challenging. These methods also demonstrate how legitimate tools like GSocket can be weaponized in real-world attacks.
How to Protect Against These Attacks
Organizations should take the following steps to reduce risk:
- Patch CMS platforms like Magento and monitor for plugin vulnerabilities
- Regularly audit and secure Docker instances, especially those exposed to the internet
- Deploy endpoint detection tools that identify in-memory execution and privilege escalation
- Monitor for signs of resource hijacking, such as unusual CPU or bandwidth spikes
- Use tools that can detect rootkit-level modifications like changes to
ld.so.preload
Advanced threats like Mimo’s campaigns require a layered security approach, combining vulnerability management, behavioral analytics, and threat hunting.
Sleep well, we got you covered.
