Cyware Daily Threat Intelligence, February 05, 2026

It doesn’t kick the door down; it slips in wearing a JavaScript mask. First seen in early 2026, DesckVB RAT v2.9 is a stealthy .NET-based malware that chains an obfuscated WSH stager, PowerShell anti-analysis, and a fileless in-memory loader, with modular plugins enabling espionage functions like keylogging, webcam access, and antivirus enumeration.

Masquerading as RTO challan alerts, the campaign lures Indian users via WhatsApp into a three-stage malware chain that drops a cryptominer, establishes persistence and C2 access, and culminates in data theft and surveillance. The operation compromised ~7,400 devices, siphoning personal IDs, financial credentials, and device metadata into a structured backend—posing serious privacy and financial risks.

Google has rolled out a Chrome desktop update fixing two high-severity flaws that could be weaponized for crashes or code execution. The patch addresses a V8 type-confusion bug (CVE-2026-1862) and a libvpx heap buffer overflow (CVE-2026-1861), with users on Windows, macOS, and Linux urged to update immediately as technical details remain restricted to limit exploitation.

Top Malware Reported in the Last 24 Hours

DesckVB RAT 2.9 unleashes modular malware capabilities

A new sophisticated malware threat, DesckVB RAT version 2.9, has emerged in early 2026, built on the .NET framework and designed for persistent control while evading traditional defenses.  The malware uses a highly obfuscated Windows Script Host (WSH) JavaScript file as its initial stager, blending malicious activity with legitimate system processes.  DesckVB RAT employs a multi-stage infection chain, including PowerShell scripts for anti-analysis checks and a fileless .NET loader for stealthy execution in memory. Its modular plugin-based architecture allows attackers to deploy specific functions like keylogging, webcam streaming, and antivirus enumeration, making it a versatile espionage tool.

RTO-themed Android malware targets Indian users

The malware campaign targets Indian users by impersonating government services like RTO challan notifications, distributed through messaging platforms like WhatsApp. It employs a three-stage infection chain with distinct functionalities: Stage 1 acts as a dropper and cryptominer, Stage 2 ensures persistence and backend connectivity, and Stage 3 focuses on data theft and surveillance. The malware harvests sensitive data, including personal identity information, financial credentials, and device metadata, and stores it in a structured backend system.  Approximately 7,400 devices were infected, leading to significant privacy and financial risks for victims.

Top Vulnerabilities Reported in the Last 24 Hours

Google Chrome patches two severe security flaws

Google Chrome's latest update patches two high-severity vulnerabilities in its desktop version. CVE-2026-1862 targets a "Type Confusion" bug in the V8 JavaScript engine, which could lead to arbitrary code execution or browser crashes. CVE-2026-1861 addresses a "Heap Buffer Overflow" in the libvpx video codec library, potentially allowing crafted video files to crash systems or hijack control flow. Specific details of the vulnerabilities are restricted to prevent exploitation before users update their systems. Users on Windows, Mac, and Linux are urged to update their browsers immediately to protect against these risks.

Django framework faces security crisis

The Django Software Foundation released emergency patches on February 3, 2026, to address six critical vulnerabilities in the Django Python web framework. The vulnerabilities include three high-severity SQL injection flaws, two moderate-severity denial-of-service (DoS) issues, and one low-severity username enumeration vulnerability. High-severity SQL injection flaws affect PostGIS raster lookups (CVE-2026-1207), column aliases in FilteredRelation queries (CVE-2026-1287), and QuerySet.order_by() operations (CVE-2026-1312). Moderate-severity DoS vulnerabilities involve duplicate HTTP headers in Django's ASGI request handler (CVE-2025-14550) and HTML truncation in the django.utils.text.Truncator module (CVE-2026-1285).