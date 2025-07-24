Threat Intelligence

Magento, Docker instances subjected to cryptominer, proxyware compromise

The Docker website is displayed on a computer.

(sharafmaksumov/stock.adobe.com)

Intrusions facilitating cryptomining and proxyware payload deployment have been launched by threat actor Mimo, also known as Hezb, against vulnerable Magento CMS and Docker instances months after the initial targeting of Craft CMS systems, The Hacker News reports.

After achieving initial compromise through the exploitation of multiple yet-to-be-identified Magento PHP-FPM flaws, Mimo proceeds to distribute the open-source penetration testing tool GSocket to enable persistence while evading detection before the eventual injection of the IPRoyal proxyware and XMRig cryptominer, according to a report from Datadog Security Labs researchers. Moreover, improperly configured Docker instances have been exploited by Mimo to allow the creation of a new container where a command could be executed to launch a GSocket and IPRoyal dropper and SSH brute-force attacks. "Although Mimo's primary motivation remains financial, through cryptocurrency mining and bandwidth monetization, the sophistication of their recent operations suggests potential preparation for more lucrative criminal activities," said researchers.

