• CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware Cybersecurity researchers have disclosed details of a new campaign dubbedCRESCENTHARVEST, likely targeting supporters of Iran’s ongoing protests to conduct information theft and long-term espionage. • The Acronis Threat Research Unit (TRU) said it observed the activity after January 9, with the attacks designed to deliver a malicious payload that serves as a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. • It’s currently not known if any of the attacks were successful. • “The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos,” researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusiosaidin a report published this week. • “These files are bundled with authentic media and a Farsi-language report providing updates from ’the rebellious cities of Iran.’ This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information.” CRESCENTHARVEST, although unattributed, is believed to be the work of an Iran-aligned threat group. • The discovery makes it the second such campaign identified as going after specific individuals in the aftermath of the nationwide protests in Iran that began towards the end of 2025.
Article Summaries:
- Cybersecurity researchers have identified a new campaign, CRESCENTHARVEST, aimed at Iranian protest supporters. The operation, likely run by an Iran‑aligned threat group, delivers a remote‑access trojan (RAT) disguised as protest‑related images or videos. Victims are lured through spear‑phishing or prolonged social engineering, opening malicious .LNK files that trigger PowerShell scripts to download a ZIP archive containing a legitimate Google‑signed executable and rogue DLLs. The malware logs keystrokes, exfiltrates data, and can execute commands. While the attack’s success rate is unknown, it follows a pattern of targeted espionage against individuals documenting human‑rights abuses in Iran.
Sources: