Executive Summary

The CRESCENTHARVEST campaign represents a highly targeted and technically advanced cyber-espionage operation, focusing on supporters of the ongoing protests in Iran. This campaign utilizes sophisticated social engineering, protest-themed lures, and a custom Remote Access Trojan (RAT) to achieve persistent surveillance, credential theft, and exfiltration of sensitive data. The threat actors behind CRESCENTHARVEST employ advanced tactics such as DLL sideloading, LNK-based initial access, and the abuse of legitimate signed binaries, all tailored to evade detection and maximize the likelihood of successful compromise. The operation is attributed to an Iran-aligned advanced persistent threat (APT) group, with strong indications of overlap with known actors such as Charming Kitten (APT35). The campaign’s technical sophistication and focus on Farsi-speaking activists, journalists, and diaspora communities underscore the critical need for heightened vigilance and robust security controls among at-risk organizations and individuals.

Threat Actor Profile

The threat actors orchestrating the CRESCENTHARVEST campaign are assessed to be aligned with Iranian state interests, exhibiting tradecraft and infrastructure consistent with groups such as Charming Kitten (APT35) and Tortoiseshell. These actors are known for their persistent targeting of dissidents, journalists, NGOs, and human rights advocates, particularly those involved in documenting or supporting protest movements within and outside Iran. The group demonstrates a high degree of operational security, leveraging authentic protest media, Farsi-language content, and legitimate software binaries to increase the credibility of their lures and evade traditional security controls. Their campaigns are characterized by long-term surveillance objectives, credential harvesting, and the use of custom malware implants for remote access and data exfiltration.

Technical Analysis of Malware/TTPs

The CRESCENTHARVEST campaign employs a multi-stage attack chain designed to maximize stealth and persistence. Initial access is achieved through spear-phishing emails or direct messages containing RAR archives. These archives are populated with authentic protest-related images, videos, and Farsi-language reports, alongside Windows shortcut (LNK) files disguised as media files using double extensions (such as protest.jpg.lnk or video.mp4.lnk). When a victim interacts with an LNK file, embedded PowerShell code is executed, which simultaneously opens a decoy image or video to allay suspicion and retrieves a secondary ZIP archive from a remote server.

The ZIP archive contains a legitimate, Google-signed binary (software_reporter_tool.exe, part of Chrome’s cleanup utility) and two malicious DLLs: urtcbased140d_d.dll and version.dll. The former is a C++ implant designed to extract and decrypt Chrome’s app-bound encryption keys, leveraging techniques similar to the open-source ChromElevator project. The latter, version.dll, is the core CRESCENTHARVEST RAT payload. The attack exploits DLL sideloading, wherein the signed Google binary loads the malicious DLLs, allowing the malware to operate under the guise of trusted software and bypass many endpoint security controls.

Once executed, the RAT harvests browser credentials, cookies, and history, extracts Telegram Desktop session data for account hijacking, enumerates local users and installed security tools, and activates a keylogger. Data is exfiltrated to a command-and-control (C2) server using WinHTTP APIs. The malware supports a range of commands, including anti-analysis routines, directory and user enumeration, keylogging, credential and cookie theft, file upload, and arbitrary shell command execution. The primary C2 domain observed is servicelog-information[.]com.

The campaign’s tactics, techniques, and procedures (TTPs) align with several MITRE ATT&CK techniques, including spear-phishing via archive files (T1566.001), user execution via LNK files (T1204.002), PowerShell-based payload retrieval (T1059.001), DLL sideloading (T1574.002), credential access via browser and Telegram theft (T1555.003), keylogging (T1056.001), system and user discovery (T1082, T1087), exfiltration over HTTP/S (T1041), and defense evasion through the use of signed binaries and obfuscation (T1218.011, T1027).

Exploitation in the Wild

The CRESCENTHARVEST campaign has been observed actively targeting Farsi-speaking individuals, activists, journalists, and members of the Iranian diaspora who are engaged in or supportive of protest activities. The lures are highly tailored, leveraging authentic protest media and Farsi-language reports to increase credibility and emotional resonance. While no large-scale breaches have been publicly confirmed, there is evidence of successful credential theft, persistent remote access, and ongoing surveillance of targeted individuals. The campaign remains active and under investigation by multiple threat intelligence teams, with new indicators of compromise (IOCs) and TTPs continuing to emerge.

Victimology and Targeting

Victims of the CRESCENTHARVEST campaign are primarily Farsi-speaking activists, journalists, human rights defenders, and diaspora community members who are vocal in their support of Iranian protest movements. The campaign also targets NGOs, researchers, and organizations involved in documenting human rights abuses or providing support to protestors. The geographic focus extends beyond Iran to include global Iranian diaspora communities, with lures and malware delivery mechanisms specifically crafted to appeal to these audiences. The use of authentic protest media and Farsi-language content demonstrates a deep understanding of the target demographic and a commitment to maximizing the likelihood of successful compromise.

Mitigation and Countermeasures

To defend against the CRESCENTHARVEST campaign, organizations and individuals should implement a multi-layered security strategy. User awareness training is critical, particularly for at-risk users, to recognize and avoid suspicious archives and LNK files, especially those with double extensions or received from unknown sources. Technical controls should include monitoring for the execution of software_reporter_tool.exe outside of its normal context within Chrome’s cleanup operations, blocking or alerting on outbound connections to servicelog-information[.]com, and vigilant monitoring for suspicious PowerShell activity and DLL sideloading events. Endpoint detection and response (EDR) solutions should be configured to detect anomalous process behaviors and the loading of unsigned or unexpected DLLs by signed binaries.

In the event of suspected compromise, immediate incident response actions should include isolating affected systems, collecting forensic images, and resetting credentials for browsers and Telegram accounts. Organizations should maintain up-to-date threat intelligence feeds and monitor for new IOCs and TTPs associated with this campaign. Regular security assessments, patch management, and the implementation of application whitelisting can further reduce the attack surface and mitigate the risk of similar threats.

References

The following open-source intelligence and technical references provide additional context and details on the CRESCENTHARVEST campaign:

The Hacker News: CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware

Covert Access Team Substack: CRESCENTHARVEST, How Protest Media Became a Malware Delivery System

Cyware Daily Threat Intelligence, February 19, 2026: Daily Threat Briefing

MITRE ATT&CK Techniques Referenced: MITRE ATT&CK

APT35/Charming Kitten Profile: MITRE Group G0064

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively identify emerging threats, streamline vendor risk assessments, and enhance overall cyber resilience. For more information about our solutions or to discuss how we can support your organization’s security posture, we are happy to answer questions at ops@rescana.com.