Datadog threat roundup: Top insights for Q2 2025
As a leading provider in observability and cloud security, Datadog has unique insight into threat actor behavior that targets cloud infrastructure and the software supply chain. This report summarizes notable threats and insights identified by our Security Research teams throughout the second quarter (Q2) of 2025.
Observations from the cloud threat landscape
Our threat research and detection engineering efforts throughout Q2 revealed several significant patterns in the cloud threat landscape, with some notable shifts from previous quarters.
Supply-chain attacks remain prevalent
In May, we discovered three malicious VS Code extensions targeting Solidity developers on Windows: solaibot, among-eth, and blankebesxstnion. Based on shared infrastructure and obfuscation characteristics that we observed, we attribute all three extensions to a single threat actor, which we track as MUT-9332.
This threat actor was also responsible for a recently reported campaign to distribute a Monero cryptominer via backdoored VS Code extensions. The extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control (C2) domains that closely resemble legitimate Solidity-related resources. The extensions initiate complex, multi-stage infection chains that involve obfuscated payloads, including one hidden within an image file hosted on the Internet Archive. The attack deploys a malicious browser extension and a portable executable (PE) to establish persistence and exfiltrate victim data and credentials.
We continue to observe threat actors actively exploiting the software supply chain across ecosystems, with particularly heightened activity noted in the NPM ecosystem. Early in Q2, we discovered that the NPM package postcss-minify-theme@7.0.6 contained obfuscated malware designed to steal information. Our analysis did not uncover any code that executes immediately at the time of package installation. This absence of direct activation suggests that the package might be part of a broader dependency-based campaign, likely aiming for stealthy downstream compromise.
Our open source supply-chain security tool, GuardDog, recently identified another malicious NPM package, grayavatar@1.0.2. This package utilizes multi-stage, nested script invocation to execute an obfuscated payload, ultimately deploying information stealer malware.
Although MUT-6149 was first profiled in our Q1 2025 roundup, we are highlighting the actor again here because its activity never slowed during Q2. Our tracking of the actor shows a steady activity of fresh NPM typosquats (e.g., crypter-validater, cors-tool) coupled with the same post-install backdoor technique that appends threat actor-controlled public keys to ~/.ssh/authorized_keys, enabling silent SSH re-entry:
const ipAddress = await getCrosId();
const fullPublicKey = `${publicKey}`;
const sshDir = path.join(os.homedir(), '.ssh');
const authorizedKeysPath = path.join(sshDir, 'authorized_keys');While we do not yet have enough artifacts to publish a full intrusion set, the persistence of this campaign warrants interim public visibility. We continue to monitor MUT-6149 closely and will release a dedicated report with indicators and tradecraft details in the upcoming months.
Cloud persistence techniques continue to evolve
We frequently observed threat actors employing novel tradecraft to compromise and maintain stealthy access across cloud infrastructure, containers, and hosts. This activity indicates an improved understanding of the cloud management plane, coupled with a degree of ingenuity.
“Persistence-as-a-service” highlights a fundamental shift from traditional credential-based persistence to architected resilience that survives standard incident response procedures, including credential revocation and access key rotation. Furthermore, workload compromises revealed advanced usage of rootkits and point-to-point tunneling to hide malware and allow proxied network traffic to flow through compromised assets without detection.
Threat actors keep targeting container infrastructure
In Q2, we also saw continued opportunistic targeting of containerized infrastructure. Threat actors like Mimo maintained their focus on content management system (CMS) platforms and misconfigured Docker deployments. The return of established threats like Skidmap, combined with new campaigns targeting WordPress installations, demonstrates that threat actors continue to exploit fundamental security misconfigurations across both traditional and cloud-native infrastructure. Mimo also expanded its targeting from Craft CMS to Magento while implementing new tradecraft to remain hidden and persist through multiple avenues.
Attack surfaces expand across platforms
Threat actors increasingly demonstrate comfort operating across diverse technical environments, including traditional CMS platforms, container orchestration systems, and serverless cloud functions. This platform-agnostic approach suggests that threat actors are investing in broad technical capabilities rather than specializing in single attack vectors. As a result, defenders must maintain comprehensive security coverage across all infrastructure types.
Notable threat findings
Mimo targets Magento CMS and Docker
In Q2, we observed a significant evolution in the tactics of the Mimo threat actor, previously known for targeting Craft CMS. In a recent compromise of an ecommerce platform, Mimo exploited a PHP-FPM command injection vulnerability in Magento CMS, marking a notable expansion in its targeting. The intrusion showcased new layers of sophistication in Linux attack techniques, such as establishing persistence through GSocket-based reverse shells, masquerading under kernel-like process names, and executing additional payloads in memory. These behaviors indicate a maturing threat actor with operational security awareness and a focus on financial gain through cryptomining and proxyjacking.
Mimo uses multiple stealth and persistence techniques to maintain access and evade detection. These techniques include installing the alamdar.so rootkit via /etc/ld.so.preload to hide processes and files, obfuscating cron jobs with Base64 payloads, and using process names like [kswapd0] or [rcu_sched] to blend with legitimate system threads. Notably, Mimo employs the memfd_create() syscall to execute payloads entirely in memory. This approach, combined with abuse of shared memory paths like /dev/shm, helps the malware evade endpoint detection and response (EDR) solutions and function in restricted environments, including read-only containerized systems.
In addition to targeting CMS platforms, Mimo exploits misconfigured Docker APIs, deploying malicious containers that download and execute payloads dynamically. The malware is implemented as a modular framework written in Go, with logic for persistence, SSH propagation, memory injection, and brute-force exploitation. When the malware becomes active, it gathers SSH credentials and attempts lateral movement across local subnets by using brute-force logins with common usernames, including the username ec2-user. This activity suggests specific interest in cloud environments like AWS.
Datadog recommends that you audit cron jobs, /etc/ld.so.preload, and memory-backed execution artifacts to detect Mimo’s activity.
New persistence technique helps maintain access to cloud infrastructure
We observed a novel “persistence-as-a-service” technique that used Amazon API Gateway and AWS Lambda functions to maintain stealthy access to the cloud management plane. Threat actors created a Lambda function named buckets555 and attached its execution role to the following custom policy: AWSLambdaBasicExecutionRole-b69e3024-5a7f-4fff-a576-cf54fc986b93. They then established an HTTP API Gateway with a Lambda trigger configuration, enabling the function to execute automatically when HTTP requests were sent to a specific URL.
The Lambda function contains code that can dynamically create IAM users on demand, resulting in an unprecedented persistence capability. Even after the original compromised credentials are discovered and revoked, threat actors can maintain access by sending external HTTP requests to the API Gateway endpoint. These requests automatically trigger the Lambda function to create new malicious IAM users.
This technique highlights how threat actors are evolving beyond simple credential compromise to design sophisticated, resilient access mechanisms that use cloud-native services. It represents a fundamental shift in cloud persistence strategies that security teams must be aware of to prevent threat actors from maintaining access to their cloud infrastructure after incident investigation and response.
Looking ahead
The cloud threat landscape in Q2 2025 demonstrated an ongoing shift in sophistication and breadth of threat actor behavior, signaling clear priorities for defenders heading into Q3. The continued emphasis on software supply-chain attacks—exemplified by malicious VS Code extensions and obfuscated NPM packages—highlights the persistent abuse of developer trust and tooling. This trend, coupled with the enduring activity of actors like MUT-6149, suggests that we’ll see further investment by threat actors in dependency confusion and post-install persistence, particularly within developer ecosystems.
Additionally, we observed that threat actors are maturing in their approach to cloud persistence, infrastructure targeting, and platform agnosticism. Techniques like “persistence-as-a-service” via Lambda and API Gateway, along with Linux malware such as Mimo’s Go-based framework, signal an evolution toward long-term, cloud-native footholds. These developments reflect a broader shift: Threat actors are no longer simply exploiting misconfigurations. They’re now engineering persistence mechanisms designed to outlive incident response.
As we enter Q3, we expect continued convergence of infrastructure-level attacks and supply-chain compromise. We also expect expanded targeting of serverless environments and container orchestration systems. Defenders must prepare for adversaries who build for durability, navigate platforms with ease, and exploit trust at every layer of the stack.
Methodology
The Datadog Security Research team uses high-confidence security signals as starting points for deeper investigation across customer cloud environments to capture data on trends that impact the cloud threat landscape. By pivoting from known attack attributes into raw telemetry data captured by Datadog's security products, researchers effectively identify emerging threat patterns and compromises that might otherwise go undetected. This methodology not only improves customer security posture through timely notifications of potential compromises but also creates a valuable feedback loop that continuously enhances detection capabilities.
