CRESCENTHARVEST: Iranian Dissidents Targeted in New Cyberespionage Campaign

In mid-February 2026, researchers at Acronis uncovered a highly targeted cyberespionage operation codenamed CRESCENTHARVEST. The campaign specifically targets Iranian dissidents and supporters of anti-government protests both within Iran and abroad. By weaponizing recent geopolitical unrest and internet blackouts, the threat actors distribute sophisticated malware designed for long-term surveillance and data exfiltration.

The campaign is notable for its "sympathetic" social engineering lures, which utilize pro-protest imagery and reports to build trust with Farsi-speaking targets before deploying a dual-purpose info-stealer and Remote Access Trojan (RAT).

The Lure: "Updates from the Rebellious Cities"

The attackers capitalize on the information vacuum created by state-imposed internet blackouts. Victims are typically reached via social engineering on private messaging apps like WhatsApp and Telegram. The infection vector involves a .rar archive containing:

• Authentic Media: Genuine videos and photos from recent protests in cities like Neyshabur.
• Pro-Protest Reports: A Farsi-language Microsoft Word document that uses upbeat, supportive language regarding the demonstrations to increase the lure's credibility.
• Malicious Shortcuts: Two files disguised as a video (.mp4.lnk) and an image (.jpg.lnk).

Technical Analysis: Stealth and Persistence

When a victim clicks on the malicious .lnk files, a complex multi-stage execution chain begins, designed to bypass traditional antivirus detections.

1. The "Headed-Less" Execution

The initial script invokes nested conhost.exe processes with a --headless switch. This ensures that no terminal windows or pop-ups appear to the user, effectively hiding the installation process while the decoy image or video is simultaneously opened to distract the victim.

2. Event-Triggered Persistence

Unlike standard malware that runs on system boot, CRESCENTHARVEST utilizes a more elusive persistence mechanism. It creates a scheduled task that triggers only on NetworkProfile EventID 10000. This means the malware activates only when the system successfully connects to a network. This is particularly effective against dissidents who may keep their systems offline for long periods to avoid detection.

3. DLL Sideloading

The core payload is deployed via DLL Sideloading, using a signed and trusted Google executable to load malicious .dll files (such as urtcbased140d_d.dll). This technique allows the malware to run under the guise of a legitimate, verified process.

Malware Capabilities: The Dual-Module Threat

CRESCENTHARVEST functions as both a credential harvester and a surveillance tool. The researchers identified two primary modules:

Attribution and Infrastructure

While the threat actor has not been formally named, researchers point to strong overlaps with Iranian-aligned groups. The TTPs (Tactics, Techniques, and Procedures) mirror a 2023 campaign detailed by Check Point Research. To obscure their location, the actors use Cloudflare’s reverse proxy infrastructure, making the true origin of the Command-and-Control (C2) servers difficult to pinpoint.

Recommended Defensive Actions

For individuals and organizations at risk, the following steps are recommended:

• Disable LNK Execution: If possible, restrict the execution of .lnk files from unverified or compressed folders.
• Audit Scheduled Tasks: Look for tasks triggered by NetworkProfile events that point to obscure DLLs in \AppData\Local\Temp or similar directories.
• Use Hardened Browsers: Dissidents are encouraged to use browsers with enhanced sandboxing or "Lockdown Mode" on macOS/iOS to mitigate app-bound key extraction.