Mimo, a threat actor, has transitioned from exploiting Craft CMS to targeting Magento CMS and misconfigured Docker instances. The group capitalizes on N-day security flaws for deploying cryptocurrency miners. Recent activities include exploiting CVE-2025-32432 in Craft CMS and using PHP-FPM vulnerabilities in Magento for gaining access. Mimo's tactics now involve deploying GSocket for persistent access and using in-memory payloads to prevent detection while deploying proxyware and miners on compromised machines.
Mimo exploits vulnerabilities in Magento CMS and Docker instances, using PHP-FPM command injection for initial access and employing advanced techniques for evasion and persistence.
Recent operations by Mimo suggest a transition to more sophisticated tactics, including the deployment of GSocket for maintaining access and using in-memory payloads to avoid detection.
Collection
[
|
...
]