Find notable cyber news and cases, enriched with sources, timelines, and signals.

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First reported
Last updated
Happening score
H score 28
1 unique sources, 1 articles

Summary

Hide ▲

The CRESCENTHARVEST malware activity centers on version.dll, a Windows RAT and information stealer that can execute commands, log keystrokes, and exfiltrate data. It matters because the payload combines remote access, credential theft, and system reconnaissance in one toolchain. The activity was observed after January 9 and is tied to an espionage-oriented lure operation aimed at people connected to Iran’s protest movement; no successful compromise has been confirmed.

Related Happenings

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...

LLMShare ChatGPT share-link malware lure campaign

Campaign
H score47 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...

LotusLite backdoor delivered via DLL sideloading

Malware Activity
H score22 First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...

Latest development: 29.06.2026 18:03

Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
H score11 First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Timeline

  1. 19.02.2026 10:13 2 articles · 4mo ago

    Acronis discloses CRESCENTHARVEST espionage campaign

    Initial Disclosure

    Acronis Threat Research Unit discloses CRESCENTHARVEST, a likely Iran-aligned espionage campaign targeting supporters of Iran's protests with malicious .LNK files inside RAR archives that deliver a RAT and information stealer. The payload chain uses PowerShell to fetch a ZIP archive, relies on DLL side-loading through the Google-signed software_reporter_tool.exe, and enables credential theft, keystroke logging, system reconnaissance, and WinHTTP-based command-and-control to servicelog-information[.]com.

    Show sources