Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

Cyber Espionage on the Rise: The CRESCENTHARVEST Campaign Exposed



A new campaign dubbed CRESCENTHARVEST has been uncovered by cybersecurity researchers from Acronis Threat Research Unit (TRU), aiming at targeting supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign is believed to be the work of an Iran-aligned threat group, utilizing sophisticated social engineering tactics and a remote access trojan (RAT) malware to achieve its objectives.

  • The Acronis Threat Research Unit has uncovered a sophisticated cyber campaign called CRESCENTHARVEST, targeting Iranian protesters.
  • The threat group is believed to be Iran-aligned and represents the latest chapter in nation-state cyber espionage operations.
  • The attackers are using spear-phishing and social engineering tactics to distribute malware.
  • The malware contains a remote access tool that harvests system metadata, browser credentials, and keystrokes.
  • The threat actors use Windows Win HTTP APIs to communicate with their C2 server, allowing them to blend in with regular traffic.
  • The campaign employs tactics reminiscent of Iranian hacking groups like Charming Kitten and Tortoiseshell.
  • The attackers appear to be targeting Farsi-speaking individuals of Iranian origin, using Farsi language content for social engineering.


    • In a recent discovery, cybersecurity researchers from Acronis Threat Research Unit (TRU) have shed light on a sophisticated campaign dubbed CRESCENTHARVEST, aimed at targeting supporters of Iran's ongoing protests to conduct information theft and long-term espionage. The campaign is believed to be the work of an Iran-aligned threat group and represents the latest chapter in a decade-long pattern of suspected nation-state cyber espionage operations.

    According to Acronis, the exact initial access vector used to distribute the malware is not known, but it's suspected that the threat actors are relying on spear-phishing or "protracted social engineering efforts" where they build rapport with the victims over time before sending the malicious payloads. This tactic is reminiscent of Iranian hacking groups like Charming Kitten and Tortoiseshell, which have a storied history of engaging in sophisticated social-engineered attacks involving approaching prospective targets under fake personas and cultivating relationships with them.

    The starting point of the attack chain is a malicious RAR archive that claims to contain information related to the Iranian protests, including various images and videos, along with two Windows shortcut (LNK) files masquerading as an image or a video file by using the double extension trick (*.jpg.lnk or *.mp4.lnk). When launched, these deceptive files contain PowerShell code to retrieve another ZIP archive while simultaneously opening a harmless image or video, tricking the victim into thinking they have interacted with a benign file.

    Present within the ZIP archive is a legitimate Google-signed binary ("software_reporter_tool.exe") shipped as part of Chrome's cleanup utility and several DLL files, including two rogue libraries that are sideloaded by the executable to realize the threat actor's objectives. One such library, version.dll (aka CRESCENTHARVEST), functions as a remote access tool listing installed antivirus products and security tools, enumerating local user accounts on the device, loading DLLs, harvesting system metadata, browser credentials, Telegram desktop account data, and keystrokes.

    The CRESCENTHARVEST campaign employs Windows Win HTTP APIs to communicate with its command-and-control (C2) server ("servicelog-information[.]com"), allowing it to blend in with regular traffic. Some of the supported commands are listed below:

    Anti, to run anti-analysis checks
    His, to steal browser history
    Dir, to list directories
    Cwd, to get the current working directory
    Cd, to change directory
    GetUser, to get user information
    ps, to run PowerShell commands (not working)
    KeyLog, to activate keylogger
    Tel_s, to steal Telegram session data
    Cook, to steal browser cookies
    Info, to steal system information
    F_log, to steal browser credentials
    Upload, to upload files
    shell, to run shell commands

    The use of Farsi language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intent to attract Farsi-speaking individuals of Iranian origin, who are in support of the ongoing protests. This strategy mirrors well-established tradecraft from Iranian hacking groups, indicating a continued reliance on sophisticated social-engineered attacks.

    The disclosure comes days after The New York Times revealed that Iran's government likely tracked protesters' locations through their phones to warn them over a text message that their "presence at illegal gatherings" had been recorded and that they were under "intelligence monitoring." This move was part of an effort to crack down dissent, highlighting the growing role of digital control and surveillance in maintaining authoritarian rule.

    The central pillar of Iran's digital control model is the National Information Network (NIN), which combines information gleaned from e-government databases, surveillance cameras, as well as malware deployed via social engineering to establish remote access and monitor its citizens' movements online. A lightweight modular trojan called 2Ac2 RAT is designed for victim device control and data collection, further underscoring the sophisticated nature of Iran's cyber espionage operations.

    The CRESCENTHARVEST campaign serves as a stark reminder of the ongoing threat landscape in the realm of cybersecurity, where nation-state actors are continually adapting their tactics to stay ahead of emerging security measures. As such, it is crucial for individuals and organizations alike to remain vigilant and equipped with the latest knowledge and tools to counter these sophisticated threats.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/Cyber-Espionage-on-the-Rise-The-CRESCENTHARVEST-Campaign-Exposed-ehn.shtml

  • https://thehackernews.com/2026/02/crescentharvest-campaign-targets-iran.html

  • https://www.acronis.com/en/tru/posts/crescentharvest-iranian-protestors-and-dissidents-targeted-in-cyberespionage-campaign/

  • https://en.wikipedia.org/wiki/Charming_Kitten

  • https://cybersecuritynews.com/apt35-hacker-groups-internal-documents/

  • https://socradar.io/blog/dark-web-profile-tortoiseshell-apt/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/


    • Published: Thu Feb 19 08:55:08 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us