CRESCENTHARVEST Campaign Targets Iran Protesters with RAT Malware

Acronis researchers uncovered CRESCENTHARVEST, a cyber espionage campaign hitting Iran protest supporters since January 9, 2026. Attackers use fake protest files to deliver RAT malware for spying and data theft. No confirmed infections yet.

The campaign bundles real protest images, videos, and Farsi reports with malicious LNK files disguised as media. Iran-aligned hackers likely aim at Farsi speakers tracking “rebellious cities” updates. Spear-phishing or long-term social engineering spreads the lures.

BEST WINTER DEALS

Editor's Choice

Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.

Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

This marks the second attack wave post-2025 Iran protests. HarfangLab’s RedKitten campaign hit NGOs and rights documenters last month with SloppyMIO backdoor. Iranian groups like Charming Kitten follow this pattern with fake personas built over months.

Malware starts with RAR archives claiming protest content. Double-extension LNK files (*.jpg.lnk) hide PowerShell code. They fetch ZIPs while showing harmless media to dodge suspicion.

Malware Delivery Chain

ZIPs carry Google-signed “software_reporter_tool.exe” from Chrome cleanup tools. It sideloads two rogue DLLs.

C2 server servicelog-information[.]com uses WinHTTP APIs to blend with normal traffic.

Supported RAT Commands

CRESCENTHARVEST handles multiple remote tasks.

• Anti: Anti-analysis checks
• His: Browser history theft
• KeyLog: Activates keylogger
• Tel_s: Steals Telegram sessions
• F_log: Grabs browser credentials
• Cook: Cookie harvesting
• shell: Full shell access

Iranian APT Patterns

Groups weaponize trust with deep social engineering.

Charming Kitten: Poses as recruiters, journalists for years
Tortoiseshell: Fake personas target activists
RedKitten: Recent SloppyMIO hits rights groups

CRESCENTHARVEST uses established tricks: LNK access, signed binary sideloading, current-event lures.

Broader Context

Iran tracks protesters via phone location data. Text warnings cite “illegal gatherings” under intelligence watch. SIM suspensions hit social media posters.

RaazNet maps National Information Network (NIN) surveillance:

• E-gov databases + CCTV feeds
• Social engineering malware
• 2Ac2 RAT for device control

Protection Steps

• Block LNK execution via GPO
• Scan RAR/ZIP archives before extraction
• Monitor software_reporter_tool.exe sideloading
• Train on double-extension tricks
• Check WinHTTP to suspicious domains

FAQ