Cybersecurity researchers have disclosed particulars of a brand new marketing campaign dubbed CRESCENTHARVEST, probably concentrating on supporters of Iran’s ongoing protests to conduct info theft and long-term espionage.
The Acronis Risk Analysis Unit (TRU) mentioned it noticed the exercise after January 9, with the assaults designed to ship a malicious payload that serves as a distant entry trojan (RAT) and knowledge stealer to execute instructions, log keystrokes, and exfiltrate delicate information. It is presently not identified if any of the assaults had been profitable.
“The marketing campaign exploits current geopolitical developments to lure victims into opening malicious .LNK recordsdata disguised as protest-related pictures or movies,” researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio mentioned in a report revealed this week.
“These recordsdata are bundled with genuine media and a Farsi-language report offering updates from ‘the rebellious cities of Iran.’ This pro- protest framing seems to be meant to extend credibility and to draw Farsi-speaking Iranians in search of protest-related info.”
CRESCENTHARVEST, though unattributed, is believed to be the work of an Iran-aligned risk group. The invention makes it the second such marketing campaign recognized as going after particular people within the aftermath of the nationwide protests in Iran that started in the direction of the top of 2025.
Final month, French cybersecurity firm HarfangLab detailed a risk cluster dubbed RedKitten that focused non-governmental organizations and people concerned in documenting current human rights abuses in Iran with an purpose to contaminate them with a customized backdoor generally known as SloppyMIO.
In keeping with Acronis, the precise preliminary entry vector used to distribute the malware is just not identified. Nonetheless, it is suspected that the risk actors are counting on spear-phishing or “protracted social engineering efforts” through which the operators construct rapport with the victims over time earlier than sending the malicious payloads.
It is value noting that Iranian hacking teams like Charming Kitten and Tortoiseshell have a storied historical past of participating in refined social-engineered assaults that contain approaching potential targets underneath pretend personas and cultivating a relationship with them, in some circumstances even stretching for years, earlier than weaponizing the belief to contaminate them with malware.
“The usage of Farsi language content material for social engineering and the distributed recordsdata depicting the protests in heroic phrases recommend an intent to draw Farsi-speaking people of Iranian origin, who’re in assist of the continued protests,” the Swiss-based safety firm famous.
The start line of the assault chain is a malicious RAR archive that claims to include info associated to the Iranian protests, together with varied pictures and movies, together with two Home windows shortcut (LNK) recordsdata that masquerade as a picture or a video file by utilizing the double extension trick (*.jpg.lnk or *.mp4.lnk).
The misleading file, as soon as launched, incorporates PowerShell code to retrieve one other ZIP archive, whereas concurrently opening a innocent picture or video, tricking the sufferer into pondering that they’ve interacted with a benign file.
Current inside the ZIP archive is a reputable Google-signed binary (“software_reporter_tool.exe”) shipped as a part of Chrome’s cleanup utility and a number of other DLL recordsdata, together with two rogue libraries which might be sideloaded by the executable to appreciate the risk actor’s goals –
- urtcbased140d_d.dll, a C++ implant that extracts and decrypts Chrome’s app-bound encryption keys by way of COM interfaces. It shares overlaps with an open-source mission generally known as ChromElevator.
- model.dll (aka CRESCENTHARVEST), a distant entry software that lists put in antivirus merchandise and safety instruments, enumerates native person accounts on the gadget, hundreds DLLs, harvests system metadata, browser credentials, Telegram desktop account information, and keystrokes.
CRESCENTHARVEST employs Home windows Win HTTP APIs to speak with its command-and-control (C2) server (“servicelog-information[.]com”), permitting it to mix in with common visitors. A number of the supported instructions are listed beneath –
- Anti, to run anti-analysis checks
- His, to steal browser historical past
- Dir, to checklist directories
- Cwd, to get the present working listing
- Cd, to vary listing
- GetUser, to get person info
- ps, to run PowerShell instructions (not working)
- KeyLog, to activate keylogger
- Tel_s, to steal Telegram session information
- Prepare dinner, to steal browser cookies
- Information, to steal system info
- F_log, to steal browser credentials
- Add, to add recordsdata
- shell, to run shell instructions
“The CRESCENTHARVEST marketing campaign represents the newest chapter in a decade-long sample of suspected nation-state cyber espionage operations concentrating on journalists, activists, researchers, and diaspora communities globally,” Acronis mentioned. “A lot of what we noticed in CRESCENTHARVEST displays well-established tradecraft: LNK-based preliminary entry, DLL side-loading by way of signed binaries, credential harvesting and social engineering aligned to present occasions.”
The disclosure comes days after The New York Occasions revealed that Iran’s authorities probably tracked protesters’ places by way of their telephones to warn them over a textual content message that their “presence at unlawful gatherings” had been recorded and that they had been underneath “intelligence monitoring.”
The transfer, it mentioned, was an try and crack down dissent. In keeping with a report revealed by Iran-focused digital rights group Holistic Resilience final week, some individuals who posted on social media concerning the protests and different political matters have had their SIM playing cards suspended.
“The Islamic Republic is constructing a definite mannequin of digital management and surveillance, one that isn’t based mostly on everlasting isolation however on conditional and interruptible connectivity,” RaazNet mentioned.
“The central pillar of this mannequin is the Nationwide Info Community (NIN). Not like conventional bodily infrastructure, akin to roads or factories, the NIN is just not a static state mission. Like different digital techniques, it evolves repeatedly alongside advances in communications applied sciences, undergoes common versioning, and is expanded in response to altering technical and political necessities.”
The transfer is a part of a broader effort that combines info gleaned from e-government databases, surveillance cameras, in addition to malware deployed through social engineering to ascertain distant entry and monitor its residents’ actions on-line in a sustained method. One such software is a light-weight modular trojan known as 2Ac2 RAT that is designed for sufferer gadget management and information assortment.
