The Digital Trap: How CRESCENTHARVEST Malware Weaponizes Protest News to Silence Dissent

Cybersecurity specialists from Acronis have unmasked a nascent espionage offensive dubbed CRESCENTHARVEST, which they evaluate as a surgical strike against proponents of the persistent civil unrest in Iran. The adversaries are instrumentalizing the current political climate as a psychological lure, disseminating sophisticated malware to facilitate surreptitious system access and data exfiltration.

The operation commenced on January 10, centering its methodology on compromised LNK files meticulously disguised as authentic imagery and video documentation of the protests. Within these archives, the aggressors embed genuine multimedia content alongside a report composed in Farsi, detailing events within Iran’s “insurgent cities”—a presentation calculated to resonate with those aligned with the protest movement.

The victim typically receives a RAR archive purportedly containing protest-related materials. Concealed within are photographs and videos, alongside shortcuts utilizing deceptive double extensions such as .jpg.lnk or .mp4.lnk. Upon execution, the shortcut invokes an innocuous file to evade suspicion while simultaneously leveraging PowerShell to retrieve a supplementary ZIP archive. This secondary payload contains a legitimate, Google-signed executable, software_reporter_tool.exe, and several accompanying libraries. The attackers supplant two of these libraries to execute their proprietary code through a DLL sideloading mechanism.

One malicious library is tasked with the extraction and decryption of Chrome encryption keys, while the other—the eponymous CRESCENTHARVEST module—establishes a remote access foothold. This component systematically harvests system metadata, user credentials, and security configurations; it further purloins browser passwords, cookies, and browsing histories, alongside Telegram Desktop data. To maintain a clandestine connection with the command-and-control (C2) server, registered as servicelog-information.com, the malware utilizes WinHTTP to shroud its traffic within conventional network activity.

Forensic analysts suggest the campaign is likely the work of an Iranian-nexus threat actor, noting tactical parallels to established groups such as Charming Kitten and Tortoiseshell, which are renowned for cultivating protracted, trust-based relationships with their targets. This follows a January report by HarfangLab detailing the RedKitten cluster’s targeting of human rights advocates with the SloppyMIO backdoor.

Concurrently, domestic mechanisms of digital subjugation are intensifying. Reports indicate that Iranian authorities have monitored the geolocation of protesters via mobile telephony, dispatching warnings to those identified at “unauthorized assemblies.” Human rights organizations have further documented the punitive deactivation of SIM cards following protest-related social media activity. Analysts correlate these measures with the expansion of Iran’s National Information Network, a sophisticated infrastructure designed to circumscribe service access and regulate digital dissent. When synthesized with social engineering and trojans like 2Ac2 RAT, these elements coalesce into a formidable and enduring apparatus for the surveillance of dissidents.