Protests in Iran prompt new cyber-espionage campaign leveraging malware

Researchers from Acronis Threat Research Unit (TRU) have uncovered a cyber-espionage campaign dubbed CRESCENTHARVEST, targeting Farsi-speaking Iranians — primarily individuals seeking information about ongoing protests, as well as their supporters abroad. According to the report, the operation is aimed at data theft and long-term surveillance.

The activity has been observed since early January, shortly after mass protests began. Acronis notes that the attackers capitalize on public interest in the unrest to build trust with potential victims. As part of the social-engineering scheme, targets receive archives containing protest-related photos and videos that appear legitimate, along with Farsi-language documents and other materials presented as timely updates.

Within these archives, researchers identified two malicious .LNK files disguised as images and videos using deceptive file extensions. When opened, an embedded PowerShell script is executed, deploying the CRESCENTHARVEST malware. The payload combines remote-access (RAT) functionality with data-stealing capabilities.

This case reflects a broader trend previously noted in research by Kaspersky: threat actors increasingly exploit breaking news and politically sensitive events to enhance the effectiveness of phishing campaigns. At the same time, the events in Iran — alongside earlier incidents in Peru — illustrate the growing sophistication of such operations. Attackers are moving beyond simple one-step phishing attempts toward multi-stage campaigns focused on establishing trust before delivering malicious payloads. Another notable aspect of this campaign is the shift away from corporate targets toward socially and politically aligned groups.