A sophisticated new malware campaign named ‘CRESCENTHARVEST’ has surfaced, strategically exploiting the geopolitical unrest in Iran to target dissidents and protest supporters.
This cyberespionage operation leverages social engineering to deploy a dual-purpose threat capability, functioning as both a remote access trojan (RAT) and an advanced information stealer.
The attackers aim to compromise specific targets by mimicking legitimate protest-related content, thereby gaining trust and access to sensitive systems.
The infection chain begins with an archive file containing seemingly authentic media and reports about the ongoing protests.
Inside this package, victims encounter malicious .LNK files disguised as video or image files, such as VID_20260114_000556_609.mp4.lnk.
Once executed, these shortcuts trigger a hidden sequence that deploys the payload while simultaneously displaying the expected decoy content to avoid suspicion.
.webp)
This method effectively bypasses initial scrutiny by blending malicious indicators with genuine Farsi-language documents.
Acronis analysts identified that the malware employs a technique known as DLL sideloading, utilizing a signed Google executable, software_reporter_tool.exe, to load malicious libraries.
.webp)
This allows the threat actors to execute commands, capture keystrokes, and exfiltrate critical data like browser credentials and Telegram session files.
.webp)
The campaign’s primary objective appears to be long-term surveillance and intelligence gathering on individuals sympathetic to the opposition movement
The operational sophistication suggests a well-resourced adversary, likely aligned with Iranian state interests.
By embedding the malware within a context that resonates emotionally with the target audience, the attackers increase the likelihood of successful infection.
The malware’s modular design enables it to adapt to different environments, ensuring that it can harvest extensive data while maintaining a low profile on the victim’s machine.
Bypassing App-Bound Encryption
A distinct technical feature of CRESCENTHARVEST is its specific module designed to evade Chrome’s App-Bound Encryption.
The malicious DLL, identified as urtcbased140d_d.dll, functions as a specialized implant that interacts directly with the browser’s internal COM interfaces to facilitate theft.
Instead of merely copying files, it constructs a browser context structure to legitimately request decryption services from the operating system, bypassing standard protection mechanisms.
.webp)
The module locates the Local State file within the user’s AppData directory to extract the encrypted key.
It then utilizes the CoCreateInstance function to instantiate an elevated COM broker, effectively tricking the system into decrypting the key.
Once decrypted, this sensitive information is exfiltrated via a named pipe to the main backdoor module, allowing the attackers to unlock and steal saved login credentials, cookies, and history.
To mitigate such threats, experts recommend that users employ hardware security keys and exercise extreme caution with unsolicited files.
Organizations should monitor for unusual COM object instantiations and strictly validate signed binaries to detect this evasion technique effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
