The threat actor known as Mimo (or Mimo’lette) has expanded its intrusion operations from Craft CMS to the Magento ecommerce platform, Docker environments, and cloud instances. Mimo exploits PHP-FPM vulnerabilities in Magento to gain initial access, establishes persistence usi... Between February and May 2025, the intrusion set known as Mimo exploited CVE-2025-32432, a critical unauthenticated RCE in Craft CMS, to deploy a multi-stage infection chain observed via honeypots. The attack began by injecting a PHP webshell through a crafted GET request, fol... On 2024-01-18, a campaign was reported, involving Mimo operator, gaining initial access via 1-day vulnerability, targeting VMware Horizon, Confluence Server, WSO2, Apache ActiveMQ, PaperCut to achieve Resource hijacking, RansomOp. The following tools were observed: Mimo, NHAS reverse_ssh, XMRig, Mimus, Peer2Profit.