CRESCENTHARVEST Malware Campaign Exploits Iran Protests for Espionage

Security researchers at Acronis Threat Research Unit have uncovered an ongoing malware campaign targeting supporters of Iran's political protests. Dubbed CRESCENTHARVEST, this operation delivers advanced remote access trojan (RAT) malware through deceptive protest-related content, enabling attackers to steal sensitive information and conduct surveillance.

Exploiting Geopolitical Tensions

The campaign exploits recent political unrest in Iran, using social engineering tactics to lure victims. Attackers distribute malicious RAR archives containing protest-related images and videos alongside disguised Windows shortcut (.LNK) files. As Acronis researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio explain: "The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related media. This pro-protest framing increases credibility among Farsi-speaking Iranians seeking protest updates."

When victims launch the deceptive files, they trigger a multi-stage infection process:

1. PowerShell scripts download a ZIP archive while displaying harmless media
2. The archive contains Google's legitimate software_reporter_tool.exe
3. Malicious DLLs (urtcbased140d_d.dll and version.dll) are sideloaded

The malware shares similarities with the open-source ChromElevator project and performs extensive credential theft from browsers and Telegram. CRESCENTHARVEST's capabilities include:

• Browser history and credential harvesting
• Telegram session data theft
• Keylogging functionality
• System information collection
• File exfiltration
• Command execution

Sophisticated Tradecraft

This campaign follows established patterns of Iranian threat groups like Charming Kitten and Tortoiseshell, known for building long-term relationships with targets before deploying malware. Attackers use Farsi-language content and protest imagery to establish trust, with researchers noting: "The use of Farsi language content suggests intent to attract Farsi-speaking individuals of Iranian origin who support the protests."

Communication with command-and-control servers (like servicelog-information[.]com) blends with normal traffic using Windows Win HTTP APIs. The malware also includes anti-analysis checks and security tool enumeration.

Protection Recommendations

For individuals and organizations supporting protest movements:

1. Verify sources of protest-related content through trusted channels
2. Disable automatic execution of LNK files via Group Policy
3. Monitor for suspicious PowerShell activity
4. Implement application allowlisting to prevent unauthorized executables
5. Use dedicated devices for sensitive activism work

Security teams should:

• Block domains like servicelog-information[.]com
• Detect DLL sideloading patterns involving Google-signed binaries
• Monitor for unusual Chrome credential access patterns
• Implement behavioral detection for keylogging activities

This campaign represents the latest in a decade-long pattern of nation-state operations targeting activists and journalists. As Acronis concludes: "CRESCENTHARVEST reflects well-established tradecraft aligned to current events." Organizations tracking Iranian cyber activity should review the full technical analysis for detection signatures.

Security professionals should also note similarities to the recent RedKitten campaign documented by HarfangLab, which similarly targets human rights documentation efforts in Iran.