Cybersecurity researchers have disclosed details of a new campaign dubbed CRESCENTHARVEST, likely targeting supporters of Iran’s ongoing protests to conduct information theft and long-term espionage.
The Acronis Threat Research Unit (TRU) said it observed the activity after January 9, with the attacks designed to deliver a malicious payload that serves as a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. It’s currently not known if any of the attacks were successful.
“The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos,” researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio said in a report published this week.
“These files are bundled with authentic media and a Farsi-language report providing updates from ‘the rebellious cities of Iran.’ This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information.”
CRESCENTHARVEST, although unattributed, is believed to be the work of an Iran-aligned threat group. The discovery makes it the second such campaign identified as going after specific individuals in the aftermath of the nationwide protests in Iran that began towards the end of 2025.
Last month, French cybersecurity company HarfangLab detailed a threat cluster dubbed RedKitten that targeted non-governmental organizations and individuals involved in documenting recent human rights abuses in Iran with an aim to infect them with a custom backdoor known as SloppyMIO.
According to Acronis, the exact initial access vector used to distribute the malware is not known. However, it’s suspected that the threat actors are relying on spear-phishing or “protracted social engineering efforts” in which the operators build rapport with the victims over time before sending the malicious payloads.
It’s worth noting that Iranian hacking groups like Charming Kitten and Tortoiseshell have a storied history of engaging in sophisticated social-engineered attacks that involve approaching prospective targets under fake personas and cultivating a relationship with them, in some cases even stretching for years, before weaponizing the trust to infect them with malware.
“The use of Farsi language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intent to attract Farsi-speaking individuals of Iranian origin, who are in support of the ongoing protests,” the Swiss-based security company noted.
The starting point of the attack chain is a malicious RAR archive that claims to contain information related to the Iranian protests, including various images and videos, along with two Windows shortcut (LNK) files that masquerade as an image or a video file by using the double extension trick (*.jpg.lnk or *.mp4.lnk).
The deceptive file, once launched, contains PowerShell code to retrieve another ZIP archive, while simultaneously opening a harmless image or video, tricking the victim into thinking that they have interacted with a benign file.
Present within the ZIP archive is a legitimate Google-signed binary (“software_reporter_tool.exe”) shipped as part of Chrome’s cleanup utility and several DLL files, including two rogue libraries that are sideloaded by the executable to realize the threat actor’s objectives –
- urtcbased140d_d.dll, a C++ implant that extracts and decrypts Chrome’s app-bound encryption keys through COM interfaces. It shares overlaps with an open-source project known as ChromElevator.
- version.dll (aka CRESCENTHARVEST), a remote access tool that lists installed antivirus products and security tools, enumerates local user accounts on the device, loads DLLs, harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.
CRESCENTHARVEST employs Windows Win HTTP APIs to communicate with its command-and-control (C2) server (“servicelog-information[.]com”), allowing it to blend in with regular traffic. Some of the supported commands are listed below –
- Anti, to run anti-analysis checks
- His, to steal browser history
- Dir, to list directories
- Cwd, to get the current working directory
- Cd, to change directory
- GetUser, to get user information
- ps, to run PowerShell commands (not working)
- KeyLog, to activate keylogger
- Tel_s, to steal Telegram session data
- Cook, to steal browser cookies
- Info, to steal system information
- F_log, to steal browser credentials
- Upload, to upload files
- shell, to run shell commands
“The CRESCENTHARVEST campaign represents the latest chapter in a decade-long pattern of suspected nation-state cyber espionage operations targeting journalists, activists, researchers, and diaspora communities globally,” Acronis said. “Much of what we observed in CRESCENTHARVEST reflects well-established tradecraft: LNK-based initial access, DLL side-loading through signed binaries, credential harvesting and social engineering aligned to current events.”
