Threat Research

CRESCENTHARVEST: Iranian protestors and dissidents targeted in cyberespionage campaign

Acronis
CRESCENTHARVEST: Iranian protestors and dissidents targeted in cyberespionage campaign

Acronis TRU uncovered a targeted espionage campaign named CRESCENTHARVEST that uses Farsi-language protest lures to trick victims into opening malicious .LNK shortcuts and install a multi-module stealer/RAT. The implant chain relies on DLL sideloading via a signed Google binary, extracts browser app‑bound keys, logs keystrokes and exfiltrates data to a C2 in Riga. #CRESCENTHARVEST #AcronisTRU

Keypoints

  • Acronis TRU discovered the CRESCENTHARVEST campaign using protest-themed .RAR archives and Farsi-language reports to lure Farsi-speaking Iranians and supporters.
  • Initial lure files include authentic protest images/videos and two malicious .LNK shortcuts that unpack a ZIP payload and display the decoy media after execution.
  • Persistence is achieved via a scheduled task triggered by the Windows NetworkProfile event (EventID 10000), executing the payload whenever the system connects to the network.
  • Attackers deploy DLL sideloading using a signed Google binary (software_reporter_tool.exe) to load two malicious DLLs: one to decrypt Chrome app‑bound keys and another providing RAT/stealer functionality.
  • The stealer implements credential harvesting (including browser credentials and Telegram session data), a keylogger (WH_KEYBOARD_LL), WMI-based security product discovery, and a JSON-over-HTTPS C2 with multipart upload exfiltration.
  • Infrastructure includes the domain servicelog-information[.]com and IP 185.242.105.230 (hosted in Riga, Latvia, ASN AS42532); code reuse and telemetry suggest links to Iranian-aligned activity but attribution is not high-confidence.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – .LNK shortcuts disguised as media that execute embedded scripts when clicked (‘The two .LNK files are disguised to appear as a video and an image file’).
  • [T1574.001 ] DLL Side-Loading – malicious DLLs loaded by a signed Google binary via LoadLibraryExA and DLL search order hijacking (‘DLL sideloading using a signed Google executable file’).
  • [T1059.001 ] PowerShell – attacker script launches PowerShell during initial execution flow after spawning cmd.exe (‘spawn cmd.exe, which in turn launches PowerShell’).
  • [T1059.003 ] Windows Command Shell – use of nested conhost.exe and cmd.exe to run embedded commands and obfuscate execution (‘invoking a series of nested conhost.exe processes… These processes are then used to spawn cmd.exe’).
  • [T1053.005 ] Scheduled Task – persistence via a scheduled task configured to execute on a Windows NetworkProfile event (EventID 10000) so the payload runs when the system connects to the network (‘the task is configured to execute in response to a Windows NetworkProfile event (EventID 10000)’).
  • [T1056.001 ] Input Capture: Keylogging – implements a low-level keyboard hook (WH_KEYBOARD_LL) to capture keystrokes and write them to a hidden file for exfiltration (‘implements a Windows low-level keyboard hook (WH_KEYBOARD_LL)’).
  • [T1555.003 ] Credentials from Web Browsers – decrypts Chrome app‑bound encryption keys via COM interfaces to recover saved browser credentials and reuse them for credential harvesting (‘decrypting Chrome’s app-bound encryption keys through COM interfaces’).
  • [T1071.001 ] Application Layer Protocol: Web Protocols (HTTP/S) – C2 communications use WinHTTP/WinINet over HTTPS with JSON and multipart POST uploads for exfiltration (‘CRESCENTHARVEST relies on Windows Win HTTP APIs to connect to its command-and-control server’ / ‘conducted over encrypted HTTPS connections’).
  • [T1041 ] Exfiltration Over C2 Channel – streamed multipart POST uploads used to send credentials, cookies, history and logs to the C2 server (‘uploads it to command and control (C2) using the send function’ / ‘streaming them to the C2 server over encrypted HTTPS connections’).
  • [T1218 ] Signed Binary Proxy Execution – abuse of a legitimate signed Google binary (software_reporter_tool.exe) to execute malicious DLLs and evade suspicion (‘software_reporter_tool.exe, a legitimate Google-owned binary… explicitly loads the two malicious DLLs’).
  • [T1027 ] Obfuscated Files or Information – runtime XOR decryption, PEB walking to avoid static imports and other simple obfuscation/anti-analysis techniques (‘applies a simple XOR decryption routine’ / ‘PEB walking to avoid static API imports by retrieving the Process Environment Block’).
  • [T1518.001 ] Security Software Discovery – queries WMI (rootSecurityCenter2) to identify installed antivirus products and protection states for adaptive behavior (‘queries Windows Management Instrumentation (WMI) to identify installed antivirus products’).

Indicators of Compromise

  • [File Hash ] Malicious payloads and staged archives – 0fbc1f9cbacf076d2ced458e2d1afff0c615640a4647996bca2b651b80f90a6e (version.dll), fc1319166cfb607402e9dcaf68ef13ce10f326dbb6ac406ef576e1c02e7404a9 (urtcbased140d_d.dll), and 7 other hashes.
  • [File Name ] Malicious binaries and lures found in archives – version.dll, urtcbased140d_d.dll, VID_20260114_000556_609.mp4.lnk, IMG_20260140_000315_689.jpg.lnk.
  • [Domain ] Command-and-control domain – servicelog-information[.]com observed as the C2 server used by samples.
  • [IP Address ] C2 hosting – 185.242.105.230 (Riga, Latvia; associated with ASN AS42532) used by the campaign’s infrastructure.

Read more: https://www.acronis.com/en/tru/posts/crescentharvest-iranian-protestors-and-dissidents-targeted-in-cyberespionage-campaign/