CRRESCENTHARVEST Campaign Targets Iranian Protest Supporters With RAT Malware

Cybersecurity researchers have revealed details of a new campaign called CRESCENTHARVESTwhich may target supporters of Iran’s ongoing protests against long-term information theft and espionage.

The Acronis Threat Research Unit (TRU) said it saw activity after January 9, with an attack designed to deliver a payload that acts as a remote access trojan (RAT) and hacker to execute commands, keystrokes, and extract sensitive data. It is not yet known if any of the attacks were successful.

“This campaign uses recent developments in the country to lure victims into opening malicious .LNK files disguised as images or videos related to protests,” said researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio in a report published this week.

“These files are combined with authentic media and a Farsi language report that provides updates from the ‘rebellious cities of Iran.’ The organization of the protest appears to be aimed at increasing credibility and attracting Farsi-speaking Iranians seeking information related to the protests. “

CRESCENTHARVEST, although not named, is believed to be the work of a terrorist group in Iran. The discovery makes it the second such campaign identified as targeting individuals after the nationwide protests in Iran that began in late 2025.

Last month, French cybersecurity company HarfangLab described a threat group called RedKitten that targets non-governmental organizations and individuals involved in documenting human rights abuses in Iran with the aim of infecting them through a custom backdoor known as SloppyMIO.

According to Acronis, the initial access vector used to spread the malware is unknown. However, it is suspected that threat actors rely on phishing or “long-term social engineering efforts” where operators build relationships with victims over time before sending malicious payloads.

It is worth noting that Iranian hacking groups such as Charming Kitten and Tortoiseshell have a complicated history of sophisticated and sophisticated attacks that involve approaching their targets under false identities and cultivating relationships with them, in some cases even extending years, before arming them with the hope of infecting them with malware.

“The use of the Farsi language for social engineering and the distributed files depicting the protests in heroic terms suggest the intention of attracting Farsi-speaking Iranians, who support the ongoing protests,” the Swiss-based security firm noted.

The beginning of the series of attacks is a malicious RAR archive that claims to contain information related to the Iranian protests, including various images and videos, and two Windows Shortcuts (LNK) files that create an image or video file by using a double extension trick (*.jpg.lnk or *.mp4.lnk).

The deceptive file, once executed, contains PowerShell code to find another ZIP archive, while at the same time it opens a harmless image or video, tricking the victim into thinking that they have interacted with the correct file.

Contained within the ZIP archive is an official file signed by Google (“software_reporter_tool.exe”) sent as part of the Chrome cleanup program and several DLL files, including two malicious side-loaded libraries that can be used to accomplish the goals of a threat actor –

• urtcbased140d_d.dll, a C++ tumor that extracts and decrypts encryption keys bound to a Chrome application via COM communication. It shares overlap with an open source project known as ChromElevator.
• version.dll (also known as CRESCENTHARVEST), a remote access tool that lists installed antivirus products and security tools, lists local user accounts on the device, loads DLLs, harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.

CRESCENTHARVEST uses the Windows Win HTTP APIs to communicate with its command-and-control (C2) server (“servicelog-information[.]com”), allowing it to interact with normal traffic. Some of the supported commands are listed below –

• Auntto perform checks against analysis
• His ownstealing browser history
• Dirto the list of documents
• Cwdto get the current working directory
• Cdchange directory
• GetUserto get user information
• p.srunning PowerShell commands (not working)
• KeyLogto activate the keylogger
• Phone_sto steal Telegram session data
• Cookstealing browser cookies
• Informationstealing system information
• F_logstealing browser information
• Upload itto upload files
• shellto run shell commands

“Operation CRRESCENTHARVEST represents the latest chapter in a decade-long pattern of nationally targeted cyber espionage targeting journalists, activists, researchers and communities scattered around the world,” Acronis said. “A lot of what we’ve seen at CRESCENTHARVEST shows well-established tradeoffs: LNK-based early access, DLL sideloading with signed binaries, authentication harvesting and social engineering in line with current events.”

The revelations come days after the New York Times reported that the Iranian government may have tracked protesters’ cell phone locations to warn them with a message that their “presence at illegal gatherings” was being recorded and that they were “being employed by intelligence agencies.”

This action was said to be an attempt to end the disagreement. According to a report published by Iran-focused digital rights organization Holistic Resilience last week, some people who posted on social media about protests and other political topics had their SIM cards suspended.

“The Islamic Republic is building a unique model of digital control and surveillance, one based not on permanent isolation but on conditional connectivity and disruption,” RaazNet said.

“The main pillar of this model is the National Information Network (NIN). Unlike traditional natural infrastructure, such as roads or factories, the NIN is not a static project. Like other digital systems, it continuously evolves in line with the development of communication technology, undergoes regular changes, and is expanded due to changing technical and political requirements.”

The move is part of a broader effort that includes information obtained from government Internet databases, surveillance cameras, and malware distributed through social engineering to establish remote access and monitor citizens’ online movements continuously. One such tool is a lightweight trojan called 2Ac2 RAT designed to control the victim’s device and collect data.