CrescentHarvest: Iranian Protestors and Dissidents Targeted in Cyberespionage Campaign
Summary:
The Acronis Threat Research Unit (TRU) has identified a sophisticated cyberespionage campaign, CRESCENTHARVEST, active since at least January 2026. Targeting Farsi-speaking dissidents and supporters of Iranian protests, the campaign uses high-fidelity social engineering lures, including authentic media and a Farsi-language report on "rebellious cities." The infection begins when a user executes a malicious Windows Shortcut (.LNK) file disguised as a video or image. This triggers a complex, multi-stage process: a hidden PowerShell script extracts a ZIP archive containing a legitimate, signed, but deprecated, Google binary. The malware then utilizes DLL sideloading to execute a custom Remote Access Trojan (RAT).
Beyond its initial execution, the CRESCENTHARVEST payload is highly specialized, featuring dedicated modules to bypass modern browser security, steal Telegram session data, and log keystrokes. It establishes persistence through a unique method: a scheduled task that triggers only when the system connects to the internet, allowing it to evade standard boot-time detection. The malware then creates a hidden system file to stage captured data, which is exfiltrated to a command-and-control (C2) server using HTTPS requests that attempt to mimic legitimate Chrome traffic.
Security Officer Comments:
CRESCENTHARVEST represents a notable evolution in nation-state-aligned tradecraft that prioritizes stealth through "legitimacy hijacking." The use of a signed Google executable, even one with an expired certificate, is a deliberate tactic to bypass automated trust-based security controls. Of particular concern is the malware's ability to evade Chrome’s App-Bound Encryption. By leveraging Windows COM interfaces to mimic the browser’s own elevation broker, the attackers have effectively neutralized a primary defense meant to protect saved credentials.
This technical maturity, combined with the target-specific social engineering, suggests a threat actor with a deep understanding of the Windows ecosystem and the psychological profile of their targets. While currently focused on Iranian dissidents, the modular nature of this RAT—specifically its ability to harvest Telegram desktop sessions and profile local users (admin vs. guest) makes it a potent tool for corporate espionage or lateral movement within any organization.
Suggested Corrections:
To defend against the tactics observed in the CRESCENTHARVEST campaign, organizations should implement the following multi-layered security controls:
Link(s):
https://thehackernews.com/2026/02/crescentharvest-campaign-targets-iran.html
The Acronis Threat Research Unit (TRU) has identified a sophisticated cyberespionage campaign, CRESCENTHARVEST, active since at least January 2026. Targeting Farsi-speaking dissidents and supporters of Iranian protests, the campaign uses high-fidelity social engineering lures, including authentic media and a Farsi-language report on "rebellious cities." The infection begins when a user executes a malicious Windows Shortcut (.LNK) file disguised as a video or image. This triggers a complex, multi-stage process: a hidden PowerShell script extracts a ZIP archive containing a legitimate, signed, but deprecated, Google binary. The malware then utilizes DLL sideloading to execute a custom Remote Access Trojan (RAT).
Beyond its initial execution, the CRESCENTHARVEST payload is highly specialized, featuring dedicated modules to bypass modern browser security, steal Telegram session data, and log keystrokes. It establishes persistence through a unique method: a scheduled task that triggers only when the system connects to the internet, allowing it to evade standard boot-time detection. The malware then creates a hidden system file to stage captured data, which is exfiltrated to a command-and-control (C2) server using HTTPS requests that attempt to mimic legitimate Chrome traffic.
Security Officer Comments:
CRESCENTHARVEST represents a notable evolution in nation-state-aligned tradecraft that prioritizes stealth through "legitimacy hijacking." The use of a signed Google executable, even one with an expired certificate, is a deliberate tactic to bypass automated trust-based security controls. Of particular concern is the malware's ability to evade Chrome’s App-Bound Encryption. By leveraging Windows COM interfaces to mimic the browser’s own elevation broker, the attackers have effectively neutralized a primary defense meant to protect saved credentials.
This technical maturity, combined with the target-specific social engineering, suggests a threat actor with a deep understanding of the Windows ecosystem and the psychological profile of their targets. While currently focused on Iranian dissidents, the modular nature of this RAT—specifically its ability to harvest Telegram desktop sessions and profile local users (admin vs. guest) makes it a potent tool for corporate espionage or lateral movement within any organization.
Suggested Corrections:
To defend against the tactics observed in the CRESCENTHARVEST campaign, organizations should implement the following multi-layered security controls:
- Endpoint Behavioral Monitoring: Transition beyond signature-based detection to behavioral analysis that can identify anomalies in common processes. Specifically, monitor for unusual child processes spawned by conhost.exe or legitimate signed binaries that suddenly load unsigned or unexpected DLLs.
- Restrict Script Execution: Implement and enforce strict PowerShell execution policies (e.g., Constrained Language Mode) and use AppLocker or Windows Defender Application Control (WDAC) to block the execution of unauthorized .LNK files or scripts originating from the Downloads or Temp directories.
- Enhance Credential Protection: Since the malware specifically targets browser-stored credentials and session cookies, encourage or mandate the use of hardware security keys (FIDO2/WebAuthn) and enterprise-grade password managers that do not rely solely on browser-based storage.
- Email and Archive Filtering: Configure mail gateways to block or quarantine compressed archive formats (.zip, .7z, .rar) that contain shortcut (.lnk) files, as these are rarely legitimate in a business context and are a primary vector for this campaign.
- Targeted User Awareness: Conduct specialized social engineering simulations for high-risk individuals or those in sensitive roles, emphasizing the danger of "timely" or "urgent" geopolitical lures and the risks associated with downloading media from unverified community or social media sources.
Link(s):
https://thehackernews.com/2026/02/crescentharvest-campaign-targets-iran.html