Threat Research

Datadog threat roundup: Top insights for Q2 2025

DataDogHQ
Datadog threat roundup: Top insights for Q2 2025

Datadog observed a surge in supply-chain and cloud-native persistence techniques in Q2 2025, including malicious VS Code extensions and obfuscated NPM packages that steal credentials and deploy cryptominers. Notable actors/techniques include MUT-9332, MUT-6149, Mimo, and a novel “persistence-as-a-service” via AWS Lambda/API Gateway. #MUT-9332 #MUT-6149 #Mimo #persistence-as-a-service

Keypoints

  • Three malicious VS Code extensions targeting Solidity developers (solaibot, among-eth, blankebesxstnion) were attributed to a single actor tracked as MUT-9332.
  • Obfuscated NPM packages ([email protected] and [email protected]) were found delivering information-stealer payloads via multi-stage scripts and nested invocation.
  • Actor MUT-6149 persistently published NPM typosquats that use a post-install backdoor to append public keys to ~/.ssh/authorized_keys for silent SSH re-entry.
  • Mimo expanded targeting from Craft CMS to Magento and Docker misconfigurations, using rootkits (/etc/ld.so.preload), memfd_create memory execution, and GSocket reverse shells to persist and evade EDR.
  • A novel “persistence-as-a-service” pattern used API Gateway + AWS Lambda (function named buckets555) to create IAM users on demand, enabling access persistence after credential revocation.
  • Threat actors are increasingly platform-agnostic, operating across CMS, containers, orchestration, and serverless environments, indicating broader technical capabilities.
  • Defenders must monitor cron jobs, /etc/ld.so.preload, memory-backed execution, and cloud-native artifacts (Lambda/API Gateway) to detect evolving persistence and supply-chain abuse.

MITRE Techniques

  • [T1609] Container Administration Command – Exploited misconfigured Docker APIs to deploy malicious containers that download and execute payloads (“exploits misconfigured Docker APIs, deploying malicious containers that download and execute payloads dynamically”).
  • [T1505] Server Software Component – Backdoored VS Code extensions and malicious NPM packages supply-chain compromise to distribute malware (“malicious VS Code extensions… obfuscated NPM packages…deploying information stealer malware”).
  • [T1098] Account Manipulation – Lambda function creating IAM users on demand to maintain access after credential revocation (“create IAM users on demand, resulting in an unprecedented persistence capability”).
  • [T1078] Valid Accounts – Appending public keys to ~/.ssh/authorized_keys for SSH re-entry as a post-install backdoor (“appends threat actor-controlled public keys to ~/.ssh/authorized_keys, enabling silent SSH re-entry”).
  • [T1055] Process Injection – Using memfd_create() and shared memory (/dev/shm) to execute payloads entirely in memory to evade detection (“memfd_create() syscall to execute payloads entirely in memory… abuse of shared memory paths like /dev/shm”).
  • [T1547] Boot or Logon Autostart Execution – Installing alamdar.so via /etc/ld.so.preload to hide processes/files and maintain persistence (“installing the alamdar.so rootkit via /etc/ld.so.preload to hide processes and files”).
  • [T1021] Remote Services – Brute-force SSH propagation and lateral movement using gathered credentials across local subnets (“gathers SSH credentials and attempts lateral movement… using brute-force logins with common usernames”).
  • [T1071] Application Layer Protocol – Using HTTP API Gateway endpoints to trigger malicious Lambda functions for remote activation (“established an HTTP API Gateway… enabling the function to execute automatically when HTTP requests were sent to a specific URL”).
  • [T1204] User Execution – Malicious VS Code extensions masquerading as legitimate tools to trick developers into installing them (“extensions masquerade as legitimate tools, embedding malicious functionality within genuine features”).

Indicators of Compromise

  • [Malicious Files / Package Names] VS Code extensions and NPM packages – solaibot, among-eth, blankebesxstnion; [email protected], [email protected].
  • [Threat Actor Tags / Campaigns] Actor identifiers – MUT-9332, MUT-6149, Mimo.
  • [File Paths / Artifacts] Persistence/artifact locations – ~/.ssh/authorized_keys (SSH backdoor), /etc/ld.so.preload (alamdar.so rootkit), /dev/shm (shared memory artifacts).
  • [Cloud Resources] Lambda/API Gateway artifacts – Lambda function name buckets555, custom role/policy AWSLambdaBasicExecutionRole-b69e3024-5a7f-4fff-a576-cf54fc986b93, and an HTTP API Gateway endpoint used to trigger persistence.
  • [Technique Artifacts] Memory execution indicators – usage of memfd_create() and in-memory payload execution; cron jobs obfuscated with Base64 payloads (and 1 more persistence artifact).

Read more: https://securitylabs.datadoghq.com/articles/2025-q2-threat-roundup/