The Silent Bridge
In the past 24 months, many threat actors have begun to pivot from the saturation of Windows endpoints to a more focused targeting of Linux-based enterprise infrastructure. A recent example of this is the malware family SystemBC, which was originally discovered in 2019 as a Windows proxy bot. Recently, a new Linux variant of SystemBC…
The FortiGate “Phantom Patch”
In December 2025, Casmer Labs observed the disclosure of critical authentication bypass vulnerabilities in Fortinet’s Fortigate firewalls CVE-2025-59718 and CVE-2025-59719. In late January, however, Casmer Labs began tracking a campaign that bypassed the original patches pushed to remediate the aforementioned vulnerabilities. How It Works The two vulnerabilities primarily exploit the cryptographic verification process of SAML…
VoidLink: Context-Aware, Modular Malware
Over the past year, Casmer Labs has observed a marked increase in “cloud-aware” malware strains and families. VoidLink, which was discovered by researchers at Check Point in December 2025, is likely the most advanced we have seen so far, demonstrating a refined ability to ingest and recognize contextual details. The Cool (Scary) Parts Upon infection,…
Supply Chain Persistence and Shai-Hulud
The commonality of supply chain-focused malware has seen remarkable growth in the past 24 months, with Shai-Hulud, aptly named after the giant sandworms in Frank Herbert’s Dune, taking much of the spotlight. First detected in September 2025, Shai-Hulud is a self-propagating worm that targets the npm JavaScript package registry. Now in its third iteration, Shai-Hulud…
The “MongoBleed” Crisis
Across the board, Casmer Labs has recorded the relative re-emerge of the “bleed” class of vulnerabilities, a category of memory safety errors made infamous by Heartbleed. At a high level, MongoBleed occurs because the MongoDB server trusts a client’s assertion of data size during the network message compression process. By claiming a payload is large…
Prompt Injection and Agentic Browsers
AI-powered agentic browsers and web-based chat assistants are currently susceptible to prompt injection. Attackers are embedding instructions into pages, documents, images, or even crafted URLs, causing the agents to ingest attacker-controlled text and act on it as if the user had given them those instructions. Prompt-Based Attacks: How They Work Let’s look at a relatively…
Malware Injection Via Steganography
The Shift Towards Browser=Based Exploitation In 2025, Casmer Labs has observed a marked increase in “trust-based” attacks, where threat actors exploit the inherent trust users place in official browser marketplaces. The GhostPoster campaign, recently identified by researchers at Koi Security, exemplifies this trend. Rather than exploiting a software vulnerability, the attackers utilized functional lures—VPNs, ad…
Critical React & Next.js Vulnerability Enables Full Server Takeovers
A newly disclosed flaw in React Server Components (RSC) and the frameworks built upon them—most notably Next.js—has exposed a massive attack surface across the modern web. Tracked as CVE-2025-55182 (React) and CVE-2025-66478 (Next.js), this vulnerability allows attackers to execute arbitrary code on vulnerable servers without authentication. While the immediate threat is Remote Code Execution (RCE),…
The (Crypto-Stealing) Man in the Browser
A few weeks ago on November 19, Casmer Labs published a blog post exploring malicious browser extensions. In the article, we covered how malicious browser extensions manage to get listed in marketplaces as well as a few examples of specific pieces of malicious software. Before reading further, check out the article so you understand how…
Analyzing the November 18 Cloudflare Outage
On November 18, 2025, the world experienced a massive disruption as Cloudflare, a foundational infrastructure provider serving nearly 20% of the web’s traffic, suffered a global control plane failure for approximately 6 hours. Casmer Labs has compiled an analysis of the incident, including the root cause, its effects within the Cloudflare architecture, and how it…
Casmer Labs 