A highly skilled new malware campaign called "CRESCENTHARVEST" has emerged, deliberately taking advantage of Iran's geopolitical instability to target protesters and dissidents This article explores malicious content package. . This cyberespionage operation uses social engineering to implement a threat capability that can be used as an advanced information stealer and a remote access trojan (RAT).

By imitating authentic protest-related content, the attackers hope to gain access to sensitive systems and gain trust by compromising particular targets. An archive file with reports about the ongoing protests and media that appear to be authentic starts the infection chain. Victims come across malicious content within this package.LNK files, like VID_20260114_000556_609.mp4.lnk, are disguised as image or video files. In order to avoid suspicion, these shortcuts, when used, set off a covert sequence that simultaneously displays the anticipated decoy content and deploys the payload.

Chain of Attack (Source: Acronis) By fusing malicious indicators with authentic Farsi-language documents, this technique successfully avoids the first examination. Acronis analysts discovered that the malware uses a method called DLL sideloading, loading malicious libraries using a signed Google executable called software_reporter_tool.exe. Sideloading DLLs (Source: Acronis) This gives the threat actors the ability to carry out commands, record keystrokes, and steal important information like Telegram session files and browser credentials.

A report and media files showing the ongoing protests in Iran are among the files that were sent to the victim (Source: Acronis). Long-term monitoring and intelligence collection on people who support the opposition movement seems to be the campaign's main goal. The operational sophistication points to a well-funded enemy that is probably in line with the interests of the Iranian state.

The attackers raise the possibility of a successful infection by integrating the malware into a setting that emotionally connects with the target audience. Because of its modular design, the malware can adapt to a variety of environments and gather a large amount of data while remaining undetected on the victim's computer. Getting Around App-Bound Encryption CRESCENTHARVEST's unique module for circumventing Chrome's App-Bound Encryption is one of its unique technical features.

In order to facilitate theft, the malicious DLL, known as urtcbased140d_d.dll, acts as a specialized implant that communicates directly with the internal COM interfaces of the browser. It circumvents common security measures by creating a browser context structure to authentically request decryption services from the operating system rather than just copying files.

Attack stream from a campaign with Iranian ties (Source: Acronis) To retrieve the encrypted key, the module searches the user's AppData directory for the Local State file. In order to fool the system into decrypting the key, it then instantiates an elevated COM broker using the CoCreateInstance function. Once decrypted, the attackers can unlock and take advantage of saved login credentials, cookies, and history by exfiltrating this sensitive data to the main backdoor module via a named pipe.

Experts advise users to use hardware security keys and be extremely cautious when handling unsolicited files in order to lessen these risks. To successfully identify this evasion technique, organizations should keep an eye out for odd COM object instantiations and rigorously validate signed binaries.

Set ZeroOwl as a Preferred Source in Google and use X, LinkedIn, and LinkedIn to receive more real-time updates.