"The campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos, researchers Subhajeet Singha, Eliad Kimhy, and Darrel Virtusio said in a report published this week. These files are bundled with authentic media and a Farsi-language report providing updates from 'the rebellious cities of Iran.' This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information."
"CRESCENTHARVEST, although unattributed, is believed to be the work of an Iran-aligned threat group. The discovery makes it the second such campaign identified as going after specific individuals in the aftermath of the nationwide protests in Iran that began towards the end of 2025. Last month, French cybersecurity company HarfangLab detailed a threat cluster dubbed RedKitten that targeted non-governmental organizations and individuals involved in documenting recent human rights abuses in Iran with an aim to infect them with a custom backdoor known as SloppyMIO."
Activity observed after January 9 involves attacks designed to deliver a malicious payload functioning as a remote access trojan (RAT) and information stealer capable of executing commands, logging keystrokes, and exfiltrating sensitive data. The campaign leverages protest-related lures by using malicious .LNK files disguised as images or videos and bundling authentic media with a Farsi-language report claiming updates from rebellious cities. CRESCENTHARVEST is assessed to be Iran-aligned and focused on long-term espionage and information theft. Initial access remains uncertain but likely involves spear-phishing or protracted social engineering. The activity follows other campaigns targeting human-rights documenters after nationwide protests in late 2025.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]