CRESCENTHARVEST Windows RAT and info-stealer activity
Malware Activity
Summary
Hide ▲
Show ▼
The CRESCENTHARVEST malware activity centers on version.dll, a Windows RAT and information stealer that can execute commands, log keystrokes, and exfiltrate data. It matters because the payload combines remote access, credential theft, and system reconnaissance in one toolchain. The activity was observed after January 9 and is tied to an espionage-oriented lure operation aimed at people connected to Iran’s protest movement; no successful compromise has been confirmed.
Related Happenings
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of **ClickFix** payload delivery shows operators moving to **API-driven servers** and a **Downloads-folder** orchestrator, increasing stealth across live campaigns. The b...
DriveSurge large-scale website-hijack malware distribution campaign
Campaign
H score41
First: 02.06.2026 01:14
Last: 02.06.2026 01:14
Sources 1
About this happening:
The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...
DriveSurge large-scale website-hijack malware distribution campaign
CampaignAbout this happening: The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...
LLMShare ChatGPT share-link malware lure campaign
Campaign
H score47
First: 29.05.2026 21:21
Last: 29.05.2026 21:21
Sources 1
About this happening:
The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
LLMShare ChatGPT share-link malware lure campaign
CampaignAbout this happening: The **LLMShare** campaign is using **Google ads** and a legitimate **chatgpt.com** shared page to route people searching for **ChatGPT** into a fake **OpenAI outage** lure that pu...
LotusLite backdoor delivered via DLL sideloading
Malware Activity
H score22
First: 21.04.2026 15:00
Last: 21.04.2026 15:00
Sources 1
About this happening:
The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
LotusLite backdoor delivered via DLL sideloading
Malware ActivityAbout this happening: The **Mustang Panda** malware activity now includes **June 12–22, 2026** compromises against **Indian government** and **hydropower** targets, where the group abused **Zoho WorkDr...
Latest development: 29.06.2026 18:03
Acronis observed Mustang Panda campaigns against Indian government and hydropower targets using SHARDLOADER, MINIRECON, and ZOHOMURK, with Zoho WorkDrive abused as a command-and-control and exfiltration channel. The activity involved spear-phishing ZIP archives, DLL sideloading through signed binaries such as Solid PDF Creator and Citrix Receiver, and active beaconing from June 12 to June 22, 2026; Acronis also found active compromises inside Indian government networks and worked with CERT-In on notification and cleanup.
108 Malicious Google Chrome extensions sharing a C2 backend
Malware Activity
H score11
First: 14.04.2026 11:35
Last: 14.04.2026 11:35
Sources 1
About this happening:
**108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
108 Malicious Google Chrome extensions sharing a C2 backend
Malware ActivityAbout this happening: **108 malicious Google Chrome extensions** were found to use the same **C2 infrastructure** to steal credentials, sessions, and browsing data while injecting ads and arbitrary Jav...
Timeline
-
19.02.2026 10:13 2 articles · 4mo ago
Acronis discloses CRESCENTHARVEST espionage campaign
Initial DisclosureAcronis Threat Research Unit discloses CRESCENTHARVEST, a likely Iran-aligned espionage campaign targeting supporters of Iran's protests with malicious .LNK files inside RAR archives that deliver a RAT and information stealer. The payload chain uses PowerShell to fetch a ZIP archive, relies on DLL side-loading through the Google-signed software_reporter_tool.exe, and enables credential theft, keystroke logging, system reconnaissance, and WinHTTP-based command-and-control to servicelog-information[.]com.
Show sources
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13
- CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware — thehackernews.com — 19.02.2026 10:13