Beyond Mimo’lette: Tracking Mimo's Expansion to Magento CMS and Docker

Datadog Security Research attributes a multi-day intrusion campaign to the financially motivated Mimo (Mimo'lette) actor that has expanded from Craft CMS to Magento and exposed Docker Engine API instances. The actor exploits PHP-FPM command injection in a Magento plugin and uses a Go-based loader that deploys a GSocket-backed reverse shell, memfd_create in-memory execution, and an alamdar LD_PRELOAD rootkit to evade detection and persist via cron, systemd, and legacy init methods; victims are monetized through UPX-packed XMRig Monero mining and IPRoyal proxyware. The report includes detailed IoCs (IPs, domains, file hashes), behavioral indicators, disassembly analysis, and recommended mitigations such as auditing /etc/ld.so.preload, blocking C2 infrastructure, and reviewing cron and SSH artifacts.