Crescent Harvest Campaign Spreads RAT Malware to Iran Protest Supporters

Post Views: 16

Iran-Aligned Threat Group Targets Protest Supporters with Sophisticated RAT Malware

A newly discovered cyber espionage campaign, dubbed CRESCENTHARVEST, has been identified as targeting supporters of the ongoing protests in Iran. The campaign, which is believed to be the work of an Iran-aligned threat group, employs a sophisticated remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data.

Campaign Details

According to researchers, the campaign exploits recent geopolitical developments to lure victims into opening malicious files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report providing updates from “the rebellious cities of Iran.” The use of Farsi language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intent to attract Farsi-speaking individuals of Iranian origin who are in support of the ongoing protests.

Attack Chain

The attack chain begins with a malicious RAR archive that claims to contain information related to the Iranian protests. The archive includes two Windows shortcut (LNK) files that masquerade as an image or a video file using the double extension trick. Once launched, the deceptive file contains PowerShell code to retrieve another ZIP archive, while simultaneously opening a harmless image or video, tricking the victim into thinking they have interacted with a benign file.

Malware Details

The ZIP archive contains a legitimate Google-signed binary and several DLL files, including two rogue libraries that are sideloaded by the executable to realize the threat actor’s objectives. The malware, dubbed CRESCENTHARVEST, is a remote access tool that lists installed antivirus products and security tools, enumerates local user accounts on the device, loads DLLs, harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.

Command-and-Control Server

CRESCENTHARVEST employs Windows Win HTTP APIs to communicate with its command-and-control (C2) server, allowing it to blend in with regular traffic. The malware supports a range of commands, including anti-analysis checks, stealing browser history, listing directories, getting the current working directory, changing directory, getting user information, running PowerShell commands, activating a keylogger, stealing Telegram session data, stealing browser cookies, and stealing system information.

Context and Implications

The CRESCENTHARVEST campaign represents the latest chapter in a decade-long pattern of suspected nation-state cyber espionage operations targeting journalists, activists, researchers, and diaspora communities globally. The use of LNK-based initial access, DLL side-loading through signed binaries, credential harvesting, and social engineering aligned to current events reflects well-established tradecraft.

Iranian hacking groups have a storied history of engaging in sophisticated social-engineered attacks that involve approaching prospective targets under fake personas and cultivating a relationship with them over time before weaponizing the trust to infect them with malware. The discovery of the CRESCENTHARVEST campaign highlights the ongoing threat posed by nation-state actors to individuals and organizations involved in documenting human rights abuses and supporting protests in Iran.