Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CRESCENTHARVEST Windows RAT and info-stealer activity

Malware Activity
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The CRESCENTHARVEST malware activity centers on version.dll, a Windows RAT and information stealer that can execute commands, log keystrokes, and exfiltrate data. It matters because the payload combines remote access, credential theft, and system reconnaissance in one toolchain. The activity was observed after January 9 and is tied to an espionage-oriented lure operation aimed at people connected to Iran’s protest movement; no successful compromise has been confirmed.

Related Happenings

LotusLite backdoor delivered via DLL sideloading

Malware Activity
First: 21.04.2026 15:00 Last: 21.04.2026 15:00 Sources 1

About this happening: The **LotusLite** backdoor is being delivered through **malicious files** and **DLL sideloading**, creating a remote-access malware activity that supports **espionage**. The opera...

Open Happening

108 Malicious Google Chrome extensions sharing a C2 backend

Malware Activity
First: 14.04.2026 11:35 Last: 14.04.2026 11:35 Sources 1

About this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...

Open Happening

Storm infostealer server-side decryption activity

Malware Activity
First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Open Happening

Malicious LNK GitHub C2 campaign targeting South Korea

Campaign
First: 02.04.2026 16:00 Last: 02.04.2026 16:00 Sources 1

About this happening: A **malicious LNK-file campaign** targeting **users in South Korea** is using **GitHub as C2** to support persistent access on **Windows** systems. The operation relies on **Power...

Open Happening

Proton Meet launches privacy-focused encrypted conferencing service

Security Tool/Service
First: 01.04.2026 01:42 Last: 01.04.2026 01:42 Sources 1

About this happening: **Proton Meet** launched as a **privacy-focused video conferencing service**, adding **end-to-end encrypted** calls for users who want an alternative to mainstream meeting platfor...

Open Happening

Timeline

  1. 19.02.2026 10:13 2 articles · 3mo ago

    Acronis discloses CRESCENTHARVEST espionage campaign

    Initial Disclosure

    Acronis Threat Research Unit discloses CRESCENTHARVEST, a likely Iran-aligned espionage campaign targeting supporters of Iran's protests with malicious .LNK files inside RAR archives that deliver a RAT and information stealer. The payload chain uses PowerShell to fetch a ZIP archive, relies on DLL side-loading through the Google-signed software_reporter_tool.exe, and enables credential theft, keystroke logging, system reconnaissance, and WinHTTP-based command-and-control to servicelog-information[.]com.

    Show sources
    Open in new tab