top of page
Buscar

CRESCENTHARVES: Protest Lures Turned Into Long-Term Espionage

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 6 días
  • 3 Min. de lectura

CRESCENTHARVEST is a likely Iran-aligned cyber-espionage campaign observed after January 9, 2026, targeting supporters of ongoing Iranian protests. By weaponizing protest-related content in Farsi and disguising malware as images and videos, the operators deploy a remote access trojan (RAT) capable of credential theft, keylogging, reconnaissance, and sustained command-and-control, continuing a decade-long pattern of targeting activists, journalists, researchers, and diaspora communities.


Phase 1: Social Engineering & Target Profiling


The campaign exploits geopolitical momentum. Attackers leverage Farsi-language protest-themed content framed in supportive, heroic narratives to build credibility among Farsi-speaking individuals seeking updates on unrest inside Iran.

While the exact distribution vector is unknown, evidence suggests spear-phishing or prolonged social engineering efforts. Similar to past operations by groups such as Charming Kitten and Tortoiseshell, operators likely establish trust over time before delivering malicious payloads.

The targeting focus indicates intelligence-driven objectives rather than opportunistic crime.


Phase 2: Initial Access via LNK & Archive Deception


The infection chain begins with a malicious RAR archive that appears to contain protest-related media (images, videos, and reports).

Inside the archive:

  • Legitimate-looking protest media

  • Two Windows shortcut (LNK) files disguised using double extensions (e.g., image.jpg.lnk, video.mp4.lnk)

When executed, the LNK file:

  • Launches PowerShell to retrieve a secondary ZIP archive

  • Simultaneously opens a benign image or video to avoid suspicion

This dual execution ensures the victim believes they interacted with harmless content while the infection proceeds silently.


Phase 3: DLL Side-Loading & Payload Deployment


The downloaded ZIP archive contains:

  • A legitimate Google-signed Chrome binary (software_reporter_tool.exe)

  • Multiple DLL files, including malicious libraries

The attackers abuse DLL side-loading to execute their implants through the trusted binary. Two key malicious components are deployed:


1. urtcbased140d_d.dll


A C++ implant that extracts and decrypts Chrome’s app-bound encryption keys via COM interfaces, overlapping with the open-source project ChromElevator.


2. version.dll (CRESCENTHARVEST RAT)

The main implant responsible for espionage and data theft.

By leveraging a signed binary, the campaign blends malicious activity with legitimate system behavior, reducing detection likelihood.


Phase 4: Command-and-Control & Espionage Operations


CRESCENTHARVEST communicates with its C2 server (servicelog-information[.]com) using Windows WinHTTP APIs to mimic normal outbound traffic.

The RAT supports extensive commands, including:

  • Anti-analysis checks

  • Directory enumeration and file operations

  • User account discovery

  • Browser history, cookie, and credential theft

  • Telegram Desktop session harvesting

  • Keylogging

  • System metadata collection

  • File upload

  • Remote shell execution

The result is a full-spectrum surveillance platform capable of long-term espionage, credential harvesting, and operational control over infected endpoints.


Strategic Context


CRESCENTHARVEST is the second known campaign tied to the 2025–2026 Iranian protests, following RedKitten’s SloppyMIO backdoor campaign.

The consistent use of:

  • Farsi social engineering

  • Protest-aligned lures

  • LNK-based initial access

  • Signed binary abuse

  • Credential harvesting

demonstrates mature, repeatable nation-state tradecraft aligned with strategic intelligence objectives.


Measures to Fend Off CRESCENTHARVEST


  • Block execution of LNK files inside compressed archives

  • Disable or heavily restrict PowerShell where possible

  • Monitor for DLL side-loading involving trusted binaries

  • Inspect abnormal use of WinHTTP outbound traffic

  • Audit access to Chrome encryption keys and Telegram Desktop session data

  • Enforce least privilege for local accounts

  • Deploy EDR with memory analysis capabilities

  • Train users on double-extension file deception

  • Flag protest-themed or geopolitically sensitive phishing lures


CRESCENTHARVEST reflects a continuation of targeted cyber-espionage against individuals aligned with Iranian protest movements. The campaign does not introduce radically new techniques; instead, it refines proven methods — social engineering aligned with current events, LNK-based loaders, signed binary abuse, and credential harvesting — into a stealthy, reliable infection chain.


Its strength lies not in novelty but in operational discipline. By combining trust-building tactics, file deception, and side-loading through legitimate executables, the operators achieve persistent access while minimizing noise.


For defenders, the lesson is clear: geopolitical events increasingly shape phishing themes, and traditional Windows-native techniques remain highly effective when executed with precision. Detection must focus not only on malware signatures but on behavioral anomalies across scripting, binary loading, and credential access patterns.



The Hacker News


 
 
 

Comentarios

bottom of page