What happened
Security researchers at Acronis have identified an active malware campaign, named CRESCENTHARVEST, that uses Iran’s ongoing protest movement as a lure to deliver a remote access trojan (RAT) and information-stealing malware to targeted Windows systems.
Who is affected
The campaign appears designed to target Farsi-speaking individuals, particularly supporters of Iran’s anti-government protests, as well as activists, journalists, human rights observers and other diaspora communities seeking protest-related content.
Why CISOs should care
While initially focused on a niche geopolitical audience, the CRESCENTHARVEST campaign demonstrates advanced social engineering and malware tactics that any organization could encounter in broader threat activity. Its use of authenticated code-sideloading, persistent RAT capabilities and credential harvesting techniques highlight evolving adversary tradecraft that can bypass standard defenses if not properly mitigated.
3 practical actions
- Harden email and file security by blocking or sandboxing archive attachments and files with double extensions (e.g., .jpg.lnk, .mp4.lnk).
- Deploy and tune endpoint detection for suspicious use of signed executables (e.g., unusual launches of software_reporter_tool.exe) and unexpected scheduled tasks or persistence mechanisms.
- Educate users on social engineering risks, especially around geopolitical content, and enforce stringent verification of unsolicited media or report files.