Attackers Weaponizing Internal OAuth Apps to Persist Past Password Resets
Adversaries are exploiting Microsoft’s OAuth model to maintain persistent access — even after users change passwords or enable MFA. First reported late in October of 2025 by ProofPoint, attackers are utilizing malicious internal OAuth applications within a victim’s tenant to maintain access to systems, including email and files, without detection. Unlike external third-party apps, these in-tenant…
More Prompt Injection and Agentic Browsers
A few months ago, we wrote an article covering Prompt Injection and Agentic Browsers, including how prompt injection attacks work, a real-world example we put together, and the widespread implications of the increasing popularity of their use. More recently, a Calendar Exploit discovered by LayerX has been observed on a small-medium scale, demonstrating that even…
Why “Discord alternatives” Searches Jumped 10,000% Overnight
On February 11 2026, Discord, one of the largest online communication platforms in the world, announced that it would begin implementing age-verification requirements starting at the end of February. The service, which was originally built for gamers as a more modern replacement for services such as TeamSpeak 3 and Mumble, has over 200 million active…
The Silent Bridge
In the past 24 months, many threat actors have begun to pivot from the saturation of Windows endpoints to a more focused targeting of Linux-based enterprise infrastructure. A recent example of this is the malware family SystemBC, which was originally discovered in 2019 as a Windows proxy bot. Recently, a new Linux variant of SystemBC…
The FortiGate “Phantom Patch”
In December 2025, Casmer Labs observed the disclosure of critical authentication bypass vulnerabilities in Fortinet’s Fortigate firewalls CVE-2025-59718 and CVE-2025-59719. In late January, however, Casmer Labs began tracking a campaign that bypassed the original patches pushed to remediate the aforementioned vulnerabilities. How It Works The two vulnerabilities primarily exploit the cryptographic verification process of SAML…
VoidLink: Context-Aware, Modular Malware
Over the past year, Casmer Labs has observed a marked increase in “cloud-aware” malware strains and families. VoidLink, which was discovered by researchers at Check Point in December 2025, is likely the most advanced we have seen so far, demonstrating a refined ability to ingest and recognize contextual details. The Cool (Scary) Parts Upon infection,…
Supply Chain Persistence and Shai-Hulud
The commonality of supply chain-focused malware has seen remarkable growth in the past 24 months, with Shai-Hulud, aptly named after the giant sandworms in Frank Herbert’s Dune, taking much of the spotlight. First detected in September 2025, Shai-Hulud is a self-propagating worm that targets the npm JavaScript package registry. Now in its third iteration, Shai-Hulud…
The “MongoBleed” Crisis
Across the board, Casmer Labs has recorded the relative re-emerge of the “bleed” class of vulnerabilities, a category of memory safety errors made infamous by Heartbleed. At a high level, MongoBleed occurs because the MongoDB server trusts a client’s assertion of data size during the network message compression process. By claiming a payload is large…
Prompt Injection and Agentic Browsers
AI-powered agentic browsers and web-based chat assistants are currently susceptible to prompt injection. Attackers are embedding instructions into pages, documents, images, or even crafted URLs, causing the agents to ingest attacker-controlled text and act on it as if the user had given them those instructions. Prompt-Based Attacks: How They Work Let’s look at a relatively…
Malware Injection Via Steganography
The Shift Towards Browser=Based Exploitation In 2025, Casmer Labs has observed a marked increase in “trust-based” attacks, where threat actors exploit the inherent trust users place in official browser marketplaces. The GhostPoster campaign, recently identified by researchers at Koi Security, exemplifies this trend. Rather than exploiting a software vulnerability, the attackers utilized functional lures—VPNs, ad…
Casmer Labs 