TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Datadog Security Labs

Datadog threat roundup: Top insights for Q2 2025

2025-08-14 · Read original ↗

ATT&CK techniques detected

17 predictions
T1195.001Compromise Software Dependencies and Development Tools
98%
"malicious npm package, grayavatar @ 1. 0. 2. this package utilizes multi - stage, nested script invocation to execute an obfuscated payload, ultimately deploying information stealer malware. although mut - 6149 was first profiled in our q1 2025 roundup, we are highlighting the ac…"
T1195.001Compromise Software Dependencies and Development Tools
94%
"extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control ( c2 ) domains that closely resemble legitimate solidity - related resources. the extensions initiate complex, multi - stage infection chains that…"
T1587Develop Capabilities
75%
"malicious npm package, grayavatar @ 1. 0. 2. this package utilizes multi - stage, nested script invocation to execute an obfuscated payload, ultimately deploying information stealer malware. although mut - 6149 was first profiled in our q1 2025 roundup, we are highlighting the ac…"
T1190Exploit Public-Facing Application
71%
"threat actors like mimo maintained their focus on content management system ( cms ) platforms and misconfigured docker deployments. the return of established threats like skidmap, combined with new campaigns targeting wordpress installations, demonstrates that threat actors conti…"
T1136.003Cloud Account
65%
". threat actors created a lambda function named buckets555 and attached its execution role to the following custom policy : awslambdabasicexecutionrole - b69e3024 - 5a7f - 4fff - a576 - cf54fc986b93. they then established an http api gateway with a lambda trigger configuration, e…"
T1195.002Compromise Software Supply Chain
55%
"datadog threat roundup : top insights for q2 2025 datadog threat roundup : top insights for q2 2025 as a leading provider in observability and cloud security, datadog has unique insight into threat actor behavior that targets cloud infrastructure and the software supply chain. th…"
T1176Software Extensions
52%
"extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control ( c2 ) domains that closely resemble legitimate solidity - related resources. the extensions initiate complex, multi - stage infection chains that…"
T1195.001Compromise Software Dependencies and Development Tools
51%
"datadog threat roundup : top insights for q2 2025 datadog threat roundup : top insights for q2 2025 as a leading provider in observability and cloud security, datadog has unique insight into threat actor behavior that targets cloud infrastructure and the software supply chain. th…"
T1190Exploit Public-Facing Application
50%
"exploited a php - fpm command injection vulnerability in magento cms, marking a notable expansion in its targeting. the intrusion showcased new layers of sophistication in linux attack techniques, such as establishing persistence through gsocket - based reverse shells, masqueradi…"
T1176.002IDE Extensions
49%
"extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control ( c2 ) domains that closely resemble legitimate solidity - related resources. the extensions initiate complex, multi - stage infection chains that…"
T1195.001Compromise Software Dependencies and Development Tools
44%
"response. looking ahead the cloud threat landscape in q2 2025 demonstrated an ongoing shift in sophistication and breadth of threat actor behavior, signaling clear priorities for defenders heading into q3. the continued emphasis on software supply - chain attacks — exemplified by…"
T1071.001Web Protocols
43%
"datadog threat roundup : top insights for q2 2025 datadog threat roundup : top insights for q2 2025 as a leading provider in observability and cloud security, datadog has unique insight into threat actor behavior that targets cloud infrastructure and the software supply chain. th…"
T1587Develop Capabilities
43%
"extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control ( c2 ) domains that closely resemble legitimate solidity - related resources. the extensions initiate complex, multi - stage infection chains that…"
T1204.005Malicious Library
37%
"malicious npm package, grayavatar @ 1. 0. 2. this package utilizes multi - stage, nested script invocation to execute an obfuscated payload, ultimately deploying information stealer malware. although mut - 6149 was first profiled in our q1 2025 roundup, we are highlighting the ac…"
T1176Software Extensions
32%
"datadog threat roundup : top insights for q2 2025 datadog threat roundup : top insights for q2 2025 as a leading provider in observability and cloud security, datadog has unique insight into threat actor behavior that targets cloud infrastructure and the software supply chain. th…"
T1195.002Compromise Software Supply Chain
32%
"extensions masquerade as legitimate tools, embedding malicious functionality within genuine features, and utilize command and control ( c2 ) domains that closely resemble legitimate solidity - related resources. the extensions initiate complex, multi - stage infection chains that…"
T1014Rootkit
30%
"exploited a php - fpm command injection vulnerability in magento cms, marking a notable expansion in its targeting. the intrusion showcased new layers of sophistication in linux attack techniques, such as establishing persistence through gsocket - based reverse shells, masqueradi…"

Summary

Threat insights from Datadog Security Labs for Q2 2025.