Cybersecurity researchers have uncovered a new operation, dubbed CRESCENTHARVEST, that appears to target supporters of Iran’s ongoing protests for data theft and long‑term surveillance.
The Acronis Threat Research Unit (TRU) reports observing the activity beginning after January 9. The campaign delivers a payload functioning as a remote access trojan (RAT) and information stealer, capable of executing commands, logging keystrokes, and exfiltrating sensitive data. It’s not yet clear whether any compromises have succeeded.
According to researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio, the operation capitalizes on current events by tricking victims into opening malicious .LNK shortcuts that are disguised as protest‑related photos or videos. The lure packages authentic media alongside a Farsi‑language “updates” report from “the rebellious cities of Iran,” framing the content in a pro‑protest narrative to boost credibility with Farsi‑speaking audiences.
While attribution remains unconfirmed, CRESCENTHARVEST is believed to be aligned with Iranian interests. It’s the second recently documented effort targeting specific individuals in the aftermath of the late‑2025 nationwide protests. HarfangLab previously detailed a cluster called RedKitten that sought to infect NGOs and individuals documenting human‑rights abuses in Iran with a bespoke backdoor known as SloppyMIO.
The initial access method has not been definitively established. Acronis assesses the actors likely use spear‑phishing or extended social‑engineering—building trust over time before sending booby‑trapped files. This mirrors past tradecraft from Iranian groups such as Charming Kitten and Tortoiseshell, which have a history of cultivating relationships via fake personas—sometimes for years—before deploying malware. Acronis notes that the use of Farsi content and heroic portrayals of the protests indicates an intent to attract Farsi‑speaking individuals of Iranian origin who support the movement.
Infection Chain
- Dropper: A malicious RAR archive claims to contain protest information (images/videos) and includes two Windows shortcut files that camouflage as media via double extensions (e.g., *.jpg.lnk, *.mp4.lnk).
- Execution: When a victim launches a shortcut, PowerShell retrieves a ZIP archive while simultaneously opening a benign image/video to maintain the ruse.
- Payload Delivery: The ZIP contains:
- software_reporter_tool.exe — a legitimate Google‑signed component from Chrome’s cleanup utility.
- Several DLLs, including two malicious libraries used via DLL side‑loading:
- urtcbased140d_d.dll — a C++ implant that extracts and decrypts Chrome app‑bound encryption keys through COM; overlaps with the open‑source ChromElevator project.
- version.dll (the CRESCENTHARVEST RAT) — enumerates installed AV/security tools and local user accounts; loads additional DLLs; collects system metadata, browser credentials, Telegram Desktop account data, and keystrokes.
Command-and-Control & Capabilities
CRESCENTHARVEST uses Windows WinHTTP APIs to contact its C2 at servicelog-information[.]com, blending into normal web traffic. Supported commands include:
- Anti — anti‑analysis checks
- His — steal browser history
- Dir — list directories
- Cwd — get current directory
- Cd — change directory
- GetUser — retrieve user information
- ps — run PowerShell (currently non‑functional)
- KeyLog — enable keylogging
- Tel_s — exfiltrate Telegram session data
- Cook — steal browser cookies
- Info — collect system information
- F_log — extract browser credentials
- Upload — upload files
- shell — execute shell commands
“CRESCENTHARVEST continues a decade‑long pattern of suspected nation‑state espionage against journalists, activists, researchers, and diaspora communities,” Acronis said, noting familiar tactics such as LNK‑based initial access, signed‑binary DLL side‑loading, credential harvesting, and current‑events‑driven social engineering.
Broader Context
The disclosure follows reporting by The New York Times that Iranian authorities likely tracked protesters’ phone locations and sent SMS warnings stating their presence at “illegal gatherings” had been recorded and that they were under intelligence monitoring. An Iran‑focused digital rights group, Holistic Resilience (RaazNet), also noted that some individuals who posted about the protests had their SIM cards suspended.
RaazNet characterizes Iran’s approach as a conditional, interruptible connectivity model centered on the National Information Network (NIN) a continually evolving digital infrastructure. This model blends e‑government databases, surveillance cameras, and malware delivered via social engineering to maintain persistent insight into citizens’ online and physical movements. Among the tools cited is 2Ac2 RAT, a lightweight modular trojan used for remote control and data collection.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
