Authors: Subhajeet Singha, Eliad Kimhy, Darrel Virtusio Summary Acronis' Threat Research Unit (TRU) has uncovered a malware campaign, dubbed CRESCENTHARVEST, potentially targeting supporters of Iran's ongoing protests with the goal of information theft and long-term espionage. Observed shortly after January 9, the campaign exploits recent geopolitical developments to lure victims into opening malicious .LNK files disguised as protest-related images or videos. These files are bundled with authentic media and a Farsi-language report providing updates from "the rebellious cities of Iran." This pro- protest framing appears to be intended to increase credibility and to attract Farsi-speaking Iranians seeking protest-related information. The payload, which we've named CRESCENTHARVEST, is deployed via DLL sideloading using a signed Google executable file. It functions as both a remote access trojan and information stealer, capable of executing commands, keylogging and exfiltrating sensitive victim data. The malware demonstrates moderate development maturity, with code overlaps and direct reuse of open-source projects, alongside limited anti-analysis techniques. Based on analysis of similar attacks, this campaign likely stems from spear-phishing or protracted social engineering efforts in which victim trust is cultivated over time and reflects a continued trend of targeted attacks using protest-based lures. While the attacker remains unidentified, analysis of methodology, code and C2 infrastructure points to an Iranian-aligned threat group. Amid ongoing political turmoil, this campaign appears specifically crafted to target Farsi-speaking Iranians sympathetic to the protests, though activists, journalists and others seeking reliable information from within Iran may also be at risk. Introduction For the past two weeks, the Acronis TRU team has been actively monitoring a malware campaign leveraging the recent geopolitical developments in Iran , which appears to be aimed at Iranian protestors or Iranian protest supporters abroad. Although available telemetry is insufficient to conclusively state the intended target, this campaign aligns in victimology with recently documented espionage activity targeting Iranian citizens, and in methodology with campaigns previously associated with Iranian threat actors. In response to widespread protests and growing domestic unrest, the Islamic Revolutionary Guard Corps (IRGC) has reportedly intensified efforts to monitor and suppress dissent among Iranian citizens both domestically and abroad . Historically, this activity has included coordinated surveillance and intimidation campaigns targeting activists , journalists and political opponents. In several documented cases, these operations have extended beyond digital monitoring. While we cannot conclusively assess whether the targets of this campaign falls within any of the abovementioned categories, the campaign is likely to resonate with Iranians opposed to the IRGC. The use of Farsi language content for social engineering and the distributed files depicting the protests in heroic terms suggest an intent to attract Farsi speaking individuals of Iranian origin, who are in support of the ongoing protests. Operationally, these types of campaigns favor high-complexity, semi-repeatable execution techniques, such as usage of spyware and custom-made malware. In this campaign, the attackers are using DLL Sideloading to deploy custom implants via benign or signed and trusted executables, a technique observed across multiple threat groups. The campaign analyzed in this report reflects behaviors such as usage of a fresh set of non-overlapping infrastructure, as well as a newly observed malware family. This report details the observed attack chain and provides an analysis of the malware used in the attack, as well as the methodology and social engineering aspects. Button Button Initial infection: An update from the front line Our investigation into this campaign began with the discovery of the malware and the files bundled alongside it. As a result, we have limited visibility into the initial dissemination mechanisms, or the specific victim set. However, analysis of tradecraft observed in similar attacks provides useful context and suggests some plausible initial access scenarios. Review of publicly reported Iranian cyberespionage operations, as well as other similar attacks, indicates that this campaign may have begun with a spear phishing attack , or with protracted social engineering campaigns , building trust over a span of time, and once trust is built, leveraging it to infect the victim with some form of malware. Button Button The files sent to the victim include a report and media files depicting the ongoing protests in Iran The victim will eventually receive a collection of files, grouped in an archive (.RAR file), or sent individually over time. To the victim, this archive seems to contain an update from the frontline of the protests...