CRESCENTHARVEST is a new malware campaign that targets Iranian protest supporters by taking advantage of the country's ongoing geopolitical unrest. This campaign, which mainly targets Iranian citizens and those who support the protests overseas, has been closely watched by the Acronis TRU team for the last two weeks. By using malware to install a remote access tool (RAT) and social engineering techniques, the attackers are taking advantage of the current political climate in order to steal data.

Strategies for Campaigns and Social Engineering The CRESCENTHARVEST malware campaign takes advantage of the political atmosphere surrounding the Iranian protests by luring victims with Farsi-language content.

As part of this social engineering technique, a malicious document called Ưزارش.docx (report.docx) that supposedly provides updates on the protests is distributed along with a.RAR archive that includes videos and images from the demonstrations. Nevertheless, two malicious LNK (Windows shortcut) files that pose as innocuous media content are embedded in the archive. These files launch a PowerShell script that launches the malware when they are opened.

Malicious payloads are extracted and loaded by the script, giving the compromised system persistence. In order to guarantee that the malware continues to function even after a reboot, this persistence is specifically engineered to activate when the victim's system connects to a network.

CRESCENTHARVEST Takes Advantage of Protest for RAT (Source: acronis) Using trusted executables such as software_reporter_tool.exe (a Google cleanup tool), the malware sideloads malicious dynamic link libraries (DLLs) in order to avoid detection. Information Theft and RAT The malware acts as an information stealer and RAT once it is run. The urtcbased140d_d.dll implant, which decrypts browser encryption keys and targets Google Chrome in particular, is used in the first stage of the attack.

This implant collects private information from apps like Telegram, such as cookies, session data, and browser credentials. This information is then exfiltrated to the attacker's command-and-control (C2) server. Delivered by version.dll, the second implant functions as a backdoor that can steal even more information, including cookies, browsing history, and user credentials.

Additionally, it has a keylogging function that records each keystroke made by the victim on their computer and saves it in a hidden file. A report and media files showing the ongoing protests in Iran are among the files sent to the victim (Source: acronis). The file is uploaded to the C2 server when it reaches a certain size.

This feature is particularly risky since it gives hackers the ability to monitor private user behavior, further jeopardizing the security and privacy of victims. Cybercriminals can use geopolitical tensions to further their espionage efforts, as demonstrated by CRESCENTHARVEST. This campaign emphasizes how cyberattacks are changing and how threat actors are increasingly crafting sophisticated attacks based on political movements and current events.

the malevolent.LNK files are made to appear to the untrained eye like ordinary media files (Source: acronis). The malware's high level of sophistication is demonstrated by its use of sophisticated exfiltration techniques, DLL sideloading, and social engineering. SHA256 File Name 0fbc1f9cbacf076d2ced458e2d1afff0c615640a4647996bca2b651b80f90a6e version.dll fc1319166cfb607402e9dcaf68ef13ce10f326dbb6ac406ef576e1c02e7404a9 urtcbased140d_d.dll bd8a48d4dc71552c790a44065cce77c7592f1d00e6cbe904af01f1d164d4dd78 VID_20260114_000556_609.mp4.lnk 03315debd0c7a253b59a6b447d0673aa3de84103ca3cd4d5b6148c018d90b39b IMG_20260140_000315_689.jpg.lnk 62c4814c88521619ec6bc42e93b88c23f6727e1413f312e53063cdf089c6bc58 files.rar e3cf12272d9103e4693333543b0f25840b18ac6bbea11d17202d752e6a49d707 tmp1732799711.zip dde9fec23a8db87842babb40c306ee6685a13de7a6a2d9f6dc65ed5ea5df87a3 tmp205099634.zip As this campaign is likely targeting Farsi-speaking individuals in support of the Iranian protests, it underscores the importance of remaining vigilant.

Organizations and individuals aligned with politically sensitive causes should treat unsolicited files with suspicion, use hardware security keys, and implement strong security measures to protect themselves from this growing threat. Domain/IP Description servicelog-information.com C2 Server 185.242.105.230 C2 Server The CRESCENTHARVEST malware has been detected and blocked by Acronis EDR/XDR systems.

Nonetheless, this threat continues to worry people and organizations in susceptible areas since attackers are always improving their methods.