Cybersecurity researchers have uncovered a new cyber espionage campaign, dubbed CRESCENTHARVEST, that appears to target individuals supporting ongoing protests in Iran. The operation is designed to deploy a remote access trojan, RAT, capable of long term surveillance, credential theft, and sensitive data exfiltration.
Security analysts warn that the campaign reflects a broader pattern of nation state aligned cyber activity aimed at activists, journalists, and diaspora communities.
Protest Themed Social Engineering Lures
The campaign was identified by the Acronis Threat Research Unit after activity was observed following January 9. Researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio reported that attackers leveraged recent geopolitical tensions to craft highly convincing phishing lures.
Victims are enticed into opening malicious Windows shortcut files, LNK files, disguised as protest related images or videos. These files are bundled with authentic media content and a Farsi language report describing developments from what is framed as the rebellious cities of Iran.
The pro protest narrative is carefully constructed to increase credibility and appeal specifically to Farsi speaking individuals searching for updates about the demonstrations.
Likely Iran Aligned Threat Activity
Although the campaign has not been officially attributed, researchers believe it is likely connected to an Iran aligned threat actor. This marks the second significant campaign identified in the wake of nationwide protests that began toward the end of 2025.
Recently, French cybersecurity firm HarfangLab exposed a separate threat cluster named RedKitten that targeted NGOs and individuals documenting human rights abuses in Iran. That operation used a custom backdoor known as SloppyMIO.
The techniques seen in CRESCENTHARVEST closely resemble tactics historically associated with Iranian groups such as Charming Kitten and Tortoiseshell, both known for long term social engineering campaigns where trust is built over months or even years before malware deployment.
Initial Infection Chain
The attack begins with a malicious RAR archive claiming to contain protest related images and videos. Inside the archive are two LNK files that use a double extension trick, for example:
- *.jpg.lnk
- *.mp4.lnk
When executed, the deceptive file launches embedded PowerShell commands to download an additional ZIP archive. At the same time, a harmless image or video is displayed to prevent suspicion.
Within the downloaded archive is a legitimate Google signed binary, software_reporter_tool.exe, normally part of Chrome cleanup utilities. Alongside it are multiple DLL files, including two malicious libraries that are sideloaded to execute the attacker’s objectives.
Malware Components and Capabilities
The first malicious DLL, urtcbased140d_d.dll, functions as a C++ implant that extracts and decrypts Chrome encryption keys through COM interfaces. It shares similarities with an open source tool called ChromElevator.
The second component, version.dll, also referred to as CRESCENTHARVEST, operates as a fully featured RAT. Its capabilities include:
- Listing installed antivirus and security tools
- Enumerating local user accounts
- Harvesting browser credentials and cookies
- Stealing Telegram desktop session data
- Logging keystrokes
- Uploading files
- Executing shell and PowerShell commands
- Collecting system metadata
The malware communicates with its command and control server using Windows Win HTTP APIs, blending malicious traffic with legitimate network activity. The identified C2 domain is servicelog information dot com.
Broader Digital Surveillance Concerns
The disclosure comes shortly after reporting by The New York Times revealed that Iran’s government likely tracked protesters’ phone locations and issued warning text messages stating that their presence at illegal gatherings had been recorded.
Meanwhile, the Iran focused digital rights group Holistic Resilience reported that some individuals posting protest related content on social media had their SIM cards suspended.
A central element of Iran’s digital infrastructure strategy is the National Information Network, or NIN. Unlike static infrastructure, this system is continuously updated and expanded to align with political and technical objectives. Observers suggest it plays a key role in enabling conditional internet access and advanced monitoring capabilities.
The broader surveillance model reportedly integrates e government databases, camera systems, and malware delivered through social engineering campaigns to maintain sustained oversight of digital activity. One known tool associated with such monitoring is 2Ac2 RAT, a lightweight modular trojan designed for device control and intelligence collection.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
