Ddos 
A new cyber espionage campaign is exploiting the political unrest in Iran to target dissidents and supporters of the protest movement. According to a report from Acronis’ Threat Research Unit (TRU), the campaign—dubbed CRESCENTHARVEST—uses emotionally charged, protest-themed lures to deploy a versatile remote access trojan (RAT) capable of surveillance and data theft.
The campaign, which was observed gaining traction shortly after January 9, highlights a growing trend where threat actors weaponize geopolitical crises to infiltrate specific communities.
The attack begins with social engineering. Victims are targeted with files disguised as media or reports relevant to the ongoing protests in Iran.
“Observed shortly after January 9, the campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report providing updates from ‘the rebellious cities of Iran,'” the report states.
By bundling valid media files with the malware, the attackers increase the credibility of the lure, effectively preying on the victim’s hunger for information.
Technically, the campaign relies on a classic but effective technique: DLL sideloading. The malicious payload is loaded into memory by a legitimate, digitally signed Google executable, allowing it to bypass some security controls that trust known software vendors.
“The payload, which we’ve named CRESCENTHARVEST, is deployed via DLL sideloading using a signed Google executable file. It functions as both a remote access trojan and information stealer, capable of executing commands, keylogging and exfiltrating sensitive victim data,” the report writes.
Despite its effectiveness, the malware itself shows signs of “moderate development maturity,” utilizing code from open-source projects rather than bespoke, high-end tooling. This suggests a pragmatic attacker focused on results rather than sophistication.
The report links this activity to broader surveillance efforts that often extend beyond the digital realm.
“For defenders supporting at-risk populations, CRESCENTHARVEST reinforces that this threat is persistent, adaptable and highly targeted. Real-world consequences extend beyond data theft, and prior reporting has linked similar surveillance activity to physical intimidation and harassment,” the report concludes.
Acronis TRU advises high-risk individuals to adopt hardware security keys and to treat unsolicited files with extreme caution, even—and especially—when they align with one’s political sympathies.
Related Posts:
- Russian-Linked Operation Texonto Targets Ukraine, Dissidents
- The Iranian government blocked Instagram and Telegram
- Iranian Airport Electronic Display Screened Protest Messages
- Critical Flaws in Acronis Cyber Protect Expose Sensitive Data: CVSS 10 Vulnerabilities Patched
- Wikipedia goes offline in serveral countries to protest the upcoming copyright law in the EU
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
