A threat actor known as Mimo has shifted its focus from exploiting Craft CMS to targeting Magento CMS and misconfigured Docker instances for cryptocurrency mining and stealth operations. Their tactics include exploiting PHP-FPM vulnerabilities, using in-memory payloads, and abusing Docker containers to maximize financial gain and evade detection. #Mimo #CraftCMS #Magento #Docker #cryptojacking
Keypoints
- Mimo exploits PHP-FPM vulnerabilities in Magento installations to gain initial access.
- The threat actor uses GSocket to establish persistent access through reverse shells.
- Malware employs in-memory payloads and rootkits to avoid detection and hide malicious activities.
- Stealthy use of proxyware and cryptocurrency miners maximizes revenue without alerting victims.
- Misconfigured Docker instances are exploited to deploy malicious containers and propagate malware.
Read More: https://thehackernews.com/2025/07/threat-actor-mimo-targets-magento-and.html