Security researchers disclosed a cyberespionage campaign named CRESCENTHARVEST that began after January 9 and used deceptive .LNK shortcut files inside RAR archives to deliver a remote access trojan and information stealer to supporters of Iran’s protests. It is not known if any attacks succeeded.
KEY FACTS
- Incident CRESCENTHARVEST espionage campaign targeting Iran protest supporters
- Observed activity detected after January 9
- Payload remote access trojan and information stealer delivered via .LNK files in RAR archives
- Command and control uses domain servicelog-information[.]com
A report by Acronis Threat Research Unit said it observed the activity after January 9 and that the attack chain begins with a malicious RAR archive claiming to contain protest images and videos.
Attackers bundled authentic media with a Farsi language update to increase credibility and used Windows shortcut files with double extensions such as .jpg.lnk or .mp4.lnk. The shortcuts run PowerShell to fetch another archive while simultaneously opening a benign image or video to trick victims.
The retrieved ZIP includes a Google signed binary named “software_reporter_tool.exe” and several DLL files. The signed binary sideloads two rogue libraries: urtcbased140d_d.dll, which extracts Chrome app bound encryption keys, and version.dll, the remote access tool that harvests credentials and system data.
The malware uses Windows WinHTTP APIs to contact servicelog-information[.]com and supports commands to list security products steal browser history and credentials harvest Telegram session data log keystrokes and upload files. Investigators have not reported confirmed successful infections.
WHY IT MATTERS
The campaign shows continued use of event driven social engineering and DLL sideloading to target Farsi speaking individuals linked to the protests. If successful the tools can enable credential theft account compromise and long term surveillance of targeted users.