Full Report
Cybersecurity researchers have disclosed details of a new campaign dubbed CRESCENTHARVEST, likely targeting supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The Acronis Threat Research Unit (TRU) said it observed the activity after January 9, with the attacks designed to deliver a malicious payload that serves as a remote access trojan (RAT) and
Analysis Summary
# Threat Actor: Unattributed (Likely Iran-Aligned)
## Attribution & Identity
* **Actor Identification:** The campaign is currently unattributed to a specific named group, but researchers believe it is the work of an **Iran-aligned threat group**.
* **Aliases:** None currently assigned for this specific cluster.
* **Known Associations:** The activity shares behavioral overlaps (specifically social engineering patterns) with known Iranian state-sponsored groups such as **Charming Kitten (APT35)** and **Tortoiseshell**. It is also noted as the second major campaign targeting Iranian dissidents recently, following the **RedKitten** cluster.
## Activity Summary
* **Campaign Name:** CRESCENTHARVEST
* **Timeline:** Observed active after January 9, 2026.
* **Description:** A sophisticated cyber-espionage operation leveraging ongoing geopolitical unrest in Iran. The campaign uses lures related to "rebellious cities" and protest updates to deliver a Remote Access Trojan (RAT) and information stealer designed for long-term surveillance.
## Tactics, Techniques & Procedures
* **Social Engineering:** Uses "protracted social engineering," building rapport with victims over weeks or months before sending malicious files. Lures are written in Farsi to target specific demographics.
* **Initial Access:** Distribution via spear-phishing or direct messaging using malicious RAR archives.
* **Execution & Evasion:**
* **LNK Masquerading:** Use of double extensions (e.g., `*.jpg.lnk` or `*.mp4.lnk`) to trick users into executing PowerShell code.
* **Sideloading:** Use of a legitimate, Google-signed binary (`software_reporter_tool.exe`) to sideload malicious DLLs.
* **Component Overlaps:** Utilizes techniques from the open-source **ChromElevator** project to bypass browser security.
* **Credential Theft:** Specifically targets Chrome's "app-bound encryption" keys through COM interfaces to steal saved passwords and cookies.
* **MITRE ATT&CK IDs:**
* T1566 (Phishing)
* T1204.002 (User Execution: Malicious File)
* T1574.002 (Hijack Execution Flow: DLL Side-Loading)
* T1059.001 (Command and Scripting Interpreter: PowerShell)
* T1555.003 (Credentials from Web Browsers)
## Targeting
* **Sectors:** Human Rights, NGOs, Political Activism.
* **Geography:** Primarily Iran; Farsi-speaking individuals of Iranian origin globally.
* **Victims:** Supporters of Iran's ongoing protests, dissidents, and individuals documenting human rights abuses.
## Tools & Infrastructure
* **Malware:**
* **Custom RAT/Infostealer:** Capable of keystroke logging, file exfiltration, and command execution.
* **`urtcbased140d_d.dll`:** A C++ implant for extracting browser encryption keys.
* **`version.dll`:** A rogue library used for sideloading.
* **Decoys:** Images and videos of Iranian protests, and Farsi-language reports on "rebellious cities."
* **Infrastructure:** (Note: Specific C2 addresses were not detailed in the provided text, but would typically be formatted as follows):
* `[h]xxps://[domain].com`
* `[0].0.0.0`
## Implications
The CRESCENTHARVEST campaign represents a targeted effort by pro-government elements to suppress dissent through digital surveillance. By gaining long-term access to the communications of protest supporters, the actors can identify networks of activists, potentially leading to real-world physical risks for the victims. The use of sophisticated techniques like "app-bound encryption" bypasses shows a maturing technical capability in Iranian-aligned cyber operations.
## Mitigations
* **Security Awareness:** Educate high-risk individuals on the dangers of "long-con" social engineering where attackers build trust over time.
* **System Hardening:** Disable or restrict the execution of PowerShell for non-administrative users.
* **File Screening:** Implement policies to block or alert on the execution of `.LNK` files from untrusted sources, especially those with double extensions.
* **Endpoint Detection:** Deploy EDR solutions to monitor for DLL sideloading activities involving legitimate signed binaries (like Chrome utilities) executing from non-standard directories.
* **Credential Protection:** Encourage the use of dedicated password managers rather than relying solely on browser-based password storage.