CRESCENTHARVEST Campaign Targets Iran Protest Supporters with RAT Malware

First reported

19.02.2026 10:13

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new campaign, CRESCENTHARVEST, targets supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign delivers a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. The attacks exploit geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. The campaign is believed to be the work of an Iran-aligned threat group and is the second such campaign identified targeting individuals involved in the nationwide protests in Iran that began towards the end of 2025.

Timeline

19.02.2026 10:13 1 articles · 14h ago

CRESCENTHARVEST Campaign Targets Iran Protest Supporters with RAT Malware
A new campaign, CRESCENTHARVEST, targets supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign delivers a remote access trojan (RAT) and information stealer to execute commands, log keystrokes, and exfiltrate sensitive data. The attacks exploit geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. The campaign is believed to be the work of an Iran-aligned threat group and is the second such campaign identified targeting individuals involved in the nationwide protests in Iran that began towards the end of 2025.
Show sources

CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
Open in new tab

Information Snippets

The CRESCENTHARVEST campaign was observed after January 9, 2026, and involves delivering a malicious payload that serves as a remote access trojan (RAT) and information stealer.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The malicious files are bundled with authentic media and a Farsi-language report providing updates from 'the rebellious cities of Iran.'
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The campaign is believed to be the work of an Iran-aligned threat group and is the second such campaign identified targeting individuals involved in the nationwide protests in Iran that began towards the end of 2025.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The initial access vector used to distribute the malware is not known, but it is suspected that the threat actors are relying on spear-phishing or protracted social engineering efforts.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The attack chain starts with a malicious RAR archive that claims to contain information related to the Iranian protests, including various images and videos, along with two Windows shortcut (LNK) files that masquerade as an image or a video file.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The deceptive file, once launched, contains PowerShell code to retrieve another ZIP archive, while simultaneously opening a harmless image or video.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The ZIP archive contains a legitimate Google-signed binary ('software_reporter_tool.exe') and several DLL files, including two rogue libraries that are sideloaded by the executable to realize the threat actor's objectives.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The rogue libraries include 'urtcbased140d_d.dll,' a C++ implant that extracts and decrypts Chrome's app-bound encryption keys through COM interfaces, and 'version.dll' (aka CRESCENTHARVEST), a remote access tool that lists installed antivirus products and security tools, enumerates local user accounts, and harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
CRESCENTHARVEST employs Windows Win HTTP APIs to communicate with its command-and-control (C2) server ('servicelog-information[.]com'), allowing it to blend in with regular traffic.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
The CRESCENTHARVEST campaign represents the latest chapter in a decade-long pattern of suspected nation-state cyber espionage operations targeting journalists, activists, researchers, and diaspora communities globally.
First reported: 19.02.2026 10:13

1 source, 1 article
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13