Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CRESCENTHARVEST malicious .LNK espionage campaign targeting Iran protest supporters

Campaign
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

The CRESCENTHARVEST campaign is using malicious .LNK files and social engineering to target supporters of Iran's ongoing protests for information theft and long-term espionage. The operation matters because the payload can log keystrokes, steal credentials and Telegram data, and exfiltrate sensitive information through a covert command-and-control channel.

Related Happenings

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

Open Happening

TA416 European government espionage campaign

Campaign
First: 01.04.2026 15:05 Last: 01.04.2026 15:05 Sources 1

About this happening: TA416 has resumed **cyber espionage** activity, targeting **European governments** and **EU/NATO diplomatic missions** with a renewed malware-delivery operation that raises cross-...

Latest development: 03.04.2026 20:34

TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

Open Happening

Perseus IPTV-lure distribution campaign targeting Europe and the Middle East

Campaign
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** distribution campaign is actively pushing **Android malware** through **phishing sites** and **IPTV-lure apps**, increasing the risk of **device takeover** and **f...

Open Happening

Dust Specter Iraq Foreign Affairs AI impersonation campaign

Campaign
First: 03.03.2026 12:30 Last: 03.03.2026 12:30 Sources 1

About this happening: **Dust Specter** targeted **Iraqi government officials** in a **January 2026** campaign that used **impersonation**, **AI tools**, and compromised infrastructure to deliver malici...

Open Happening

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First: 19.02.2026 10:13 Last: 19.02.2026 10:13 Sources 1

How related: version.dll (aka CRESCENTHARVEST), a remote access tool that lists installed antivirus products and security tools, enumerates local user accounts on the device, loads DLLs, harvests system metadata, browser credentials, Telegram desktop account data, and keystrokes.

About this happening: The **CRESCENTHARVEST** malware activity centers on **version.dll**, a **Windows RAT and information stealer** that can execute commands, log keystrokes, and exfiltrate data. It m...

Open Happening

Timeline

  1. 19.02.2026 10:13 2 articles · 3mo ago

    CRESCENTHARVEST disclosed as Iran protest lure campaign

    Initial Disclosure

    Researchers disclosed CRESCENTHARVEST, a likely Iran-aligned espionage campaign that targets supporters of Iran's ongoing protests with malicious .LNK files inside RAR archives. The delivery chain is described as using social engineering to deploy a RAT and information stealer that can execute commands, log keystrokes, harvest browser credentials and Telegram desktop account data, and exfiltrate sensitive data over servicelog-information[.]com.

    Show sources
    Open in new tab