Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportCRESCENTHARVEST is a targeted cyber-espionage campaign aimed at supporters of Iran’s protests, using calculated social engineering techniques to disguise surveillance operations as solidarity with the protest movement. This sustained, covert CRESCENTHARVEST intelligence operation reflects deliberate targeting of civil society organizations, activist groups, journalists, and non-governmental organizations supporting Iranian protest movements, with consequences extending beyond digital compromise into real-world intimidation and harassment. The CRESCENTHARVEST campaign, first observed on January 9, 2026, targets Iranian diaspora communities and protest supporters through sophisticated spear-phishing attacks delivering RAR archives containing authentic protest documentation alongside malicious shortcut files. CRESCENTHARVEST malware leverages DLL sideloading through legitimately signed Google binaries to extract Chrome application-bound encryption keys, exfiltrate browser credentials from Chrome, Edge, and Firefox, capture Telegram session data, and deploy keylogging capabilities recording all keystrokes. The CRESCENTHARVEST espionage operation employs advanced anti-analysis measures using Windows Job Objects and maintains persistence through scheduled tasks triggered by network connectivity events, enabling sustained surveillance of Iranian protest supporters and dissidents.
The campaign identified as CRESCENTHARVEST appears specifically designed to target supporters of Iran’s ongoing protests, with the objective of sustained surveillance and comprehensive data theft from Iranian civil society. The CRESCENTHARVEST operation depends on deliberate social engineering, frequently initiated through carefully crafted spear-phishing attacks. CRESCENTHARVEST attackers invest significant time in establishing credibility with targets, presenting themselves as allies of the Iranian protest movement to build trust. Targeted individuals receive RAR archives framed as frontline documentation from Iran protests, containing authentic protest images and videos alongside Farsi-language reports describing “rebellious cities of Iran.” The CRESCENTHARVEST material is specifically structured to resonate with Farsi-speaking individuals sympathetic to Iranian protest movements, exploiting victims’ political sympathies to achieve compromise.
Among the legitimate protest documentation files in CRESCENTHARVEST archives are two malicious shortcut (.LNK) files disguised with double extensions to resemble standard media files. When CRESCENTHARVEST LNK files are executed, concealed scripts initiate sequences of system processes. Command Prompt launches, followed by PowerShell, which extracts embedded ZIP archives containing the CRESCENTHARVEST payload. The CRESCENTHARVEST archive includes legitimately signed Google binaries, two malicious DLLs, several benign support files, and decoy media files. CRESCENTHARVEST persistence is achieved through scheduled tasks configured to trigger on Windows NetworkProfile events, ensuring CRESCENTHARVEST malware execution whenever network connectivity is established, including after system reboots.
The CRESCENTHARVEST intrusion relies on DLL sideloading techniques. Signed Google binaries are leveraged to load malicious libraries without strict path controls, enabling unauthorized CRESCENTHARVEST code to run under the appearance of trusted applications. The first CRESCENTHARVEST module, developed in C++, extracts and decrypts Chrome’s application-bound encryption keys through Component Object Model interfaces. The second CRESCENTHARVEST module incorporates anti-analysis measures using Windows Job Objects and conducts comprehensive data collection. CRESCENTHARVEST extracts credentials, cookies, and browsing history from Chrome, Edge, and Firefox browsers, captures Telegram Desktop session data enabling account takeover, and deploys low-level keyboard hooks to record all keystrokes in hidden files targeting Iranian activists and journalists.
Once CRESCENTHARVEST keystroke logs reach approximately 2,000 bytes, captured data is transmitted to command-and-control servers controlled by CRESCENTHARVEST operators. Additional stolen data from CRESCENTHARVEST victims is stored in concealed directories, compressed, and exfiltrated through encrypted HTTPS multipart uploads to avoid detection. CRESCENTHARVEST reflects a sustained and targeted espionage effort specifically focused on Iranian civil society and protest movements. Similar surveillance activity linked to Iranian state-sponsored operations has been associated with intimidation, harassment, and real-world consequences for targeted activists, highlighting the broader physical security implications of CRESCENTHARVEST digital compromise for Iranian dissidents and protest supporters.
Iranian activists, journalists, and protest supporters must avoid opening archives, images, videos, or documents received through unsolicited channels, especially those related to politically sensitive topics like Iran protests, even if content appears sympathetic to their views. CRESCENTHARVEST exploits victims’ political sympathies, making skepticism essential for Iranian civil society.
Organizations supporting Iranian civil society must implement endpoint detection rules that flag .LNK files with embedded scripts, double file extensions (.jpg.lnk, .mp4.lnk characteristic of CRESCENTHARVEST), and .LNK files executing nested conhost.exe processes with headless switches, as these represent hallmarks of the CRESCENTHARVEST delivery mechanism targeting Iranian activists.
Security teams should create detection rules to alert on execution of software_reporter_tool.exe outside standard Chrome installation directories, and monitor for unsigned or suspicious DLLs (particularly version.dll and urtcbased140d_d.dll used by CRESCENTHARVEST) being loaded alongside signed Google executables, indicating potential CRESCENTHARVEST compromise.
Organizations must review scheduled tasks on endpoints for unusual triggers, specifically tasks bound to Windows NetworkProfile events (EventID 10000), which CRESCENTHARVEST abuses for persistence whenever systems gain network connectivity, enabling sustained surveillance of Iranian protest supporters.
At-risk individuals including Iranian activists, journalists covering Iran protests, and members of Iranian diaspora communities should adopt FIDO2/WebAuthn hardware security keys for authentication on critical accounts, as these remain resistant to CRESCENTHARVEST credential theft even if browser data is exfiltrated by the malware.
Organizations should monitor for unauthorized access to Chrome’s Local State file and the app_bound_encrypted_key field, and alert on unexpected COM object instantiation related to browser elevation brokers, which are direct indicators of the CRESCENTHARVEST key decryption module targeting Chrome credentials.
Deploy network segmentation to limit lateral movement following CRESCENTHARVEST compromise and monitor DNS queries for newly registered domains and connections to known suspicious ASNs. Implement DNS sinkholing for identified CRESCENTHARVEST C2 domains including servicelog-information[.]com to block exfiltration of stolen data from Iranian activists.
Scan endpoints for presence of hidden files in system directories, particularly C:\Windows\System32\spool\Drivers\color\daT.txt (CRESCENTHARVEST keylogger output) and decrypted_appbound_key.txt in APPDATA folders, as these are direct indicators of active CRESCENTHARVEST surveillance targeting Iranian civil society organizations.
version.dll, urtcbased140d_d.dll, VID_20260114_000556_609.mp4.lnk, IMG_20260140_000315_689.jpg.lnk, files.rar, tmp1732799711.zip, tmp205099634.zip
Get through updates and upcoming events, and more directly in your inbox