New Cyberattack – Mimo Exploits Magento CMS to Steal Card Data and Hijack Bandwidth for Profit

A sophisticated cybercriminal group known as Mimo (also referred to as “Mimo’lette” or “Hezb”) has rapidly escalated its operations, targeting Magento e-commerce websites in a new wave of attacks aimed at both financial data theft and illicit profit through system hijacking.

Platform Expansion: Craft to Magento

Previously recognized for targeting the Craft CMS platform, Mimo has broadened its focus to the significantly larger ecosystem of Magento, a widely used platform for online retail.

Security researchers at Datadog have revealed that Mimo exploits a previously undetermined PHP-FPM vulnerability, with initial access often gained via a Magento plugin.

This marks a clear evolution in Mimo’s capabilities, as the attackers demonstrate proficiency in multiple exploit chains beyond their original tactics.

Once inside the system, Mimo deploys a chain of sophisticated persistence mechanisms, leveraging the legitimate pentesting tool GSocket to maintain covert control.

GSocket enables attackers to bypass firewalls and NAT, use end-to-end encryption, and even route traffic through TOR for enhanced anonymity.

Advanced Evasion and Monetization Tactics

Mimo employs an array of techniques to evade detection, including the use of Linux process masquerading and innovative memory-based execution methods.

By invoking the memfd_create() syscall, malware components are executed entirely in memory leaving no disk artifacts and evading many conventional security tools.

To further obfuscate their presence, malicious payloads are disguised with process names like [kswapd0], mimicking legitimate or kernel-level tasks.

Once established, the group executes a “profit stacking” strategy:

• Cryptojacking: Systems are forcibly conscripted to mine Monero cryptocurrency using a customized, stealthy XMRig variant that drains server CPU resources.
• Proxyjacking: Mimo silently installs the IPRoyal Pawns client, registering compromised systems as residential proxies. This enables them to resell victims’ bandwidth for additional illicit gains, all while hiding in plain sight.

Additional tools, such as the alamdar.So, with an LD_PRELOAD rootkit, ensure that key system and process lists are “cleaned” to hide evidence of the compromise from forensic review or administrators.

Widespread Impact and Mitigation

Further complicating detection and eradication, Mimo also scans for Docker instances, spreading its payloads with self-propagating Go-based malware modules capable of SSH brute forcing and lateral movement.

Frequently rotated command-and-control servers and robust persistence ensure attackers retain access for lengthy periods.

Security experts urge immediate action:

• Update all Magento/Craft CMS instances
• Scan for unauthorized cron jobs, suspicious binaries, and entries in /etc/ld.so.preload
• Block known malicious infrastructure and mining pool ports

Indicators of compromise and further technical details are available via Datadog Security Labs. This campaign marks one of 2025’s most potent threats to ecommerce operations and customer data worldwide.

Indicators of Compromise (IoCs)

Network Indicators