Acronis TRU has identified a targeted cyber espionage campaign called CRESCENTHARVEST that exploits political unrest in Iran to lure dissidents and supporters with protest-themed files and deploy a versatile remote access trojan for surveillance and data theft. The attack uses DLL sideloading via a signed Google executable to load the payload, and Acronis TRU advises at-risk individuals to adopt hardware security keys and treat unsolicited protest-related files with extreme caution. #CRESCENTHARVEST #AcronisTRU
Keypoints
- CRESCENTHARVEST targets dissidents and protest supporters by weaponizing unrest in Iran.
- Victims receive .LNK files disguised as images, videos, or Farsi-language reports bundled with legitimate media.
- The attackers use DLL sideloading with a signed Google executable to load the malicious payload into memory.
- The RAT performs command execution, keylogging, and data exfiltration and appears to reuse open-source code.
- Acronis TRU recommends hardware security keys and extreme caution when handling unsolicited protest-related files.
Read More: https://securityonline.info/new-crescentharvest-malware-targets-iranian-dissidents/