CRESCENTHARVEST Campaign Targets Iran Protest Supporters With RAT Malware
=CRESCENTHARVEST campaign: RAT malware targeting activists, expert-sourced mitigation for real-world cyber risks, technical deep-dive and practical guidance.
TL;DR
- CRESCENTHARVEST is a remote access trojan (RAT) campaign targeting Iranian activist networks.
- Attributed by multiple vendors (cited below) to actors linked with Iranian interests; attribution remains contested.
- Real-world impact includes compromised devices, surveillance of dissidents, and erosion of trust in secure communications.
- Actionable guidance below for individuals and security teams to mitigate risk.
What is CRESCENTHARVEST?
CRESCENTHARVEST refers to a set of RAT-based malware campaigns primarily detailed by Acronis Threat Response Unit in April 2025 (Acronis TRU report, 2025). The campaign name was coined by Acronis, who first observed the malware targeting activists, journalists, and citizen groups dissident against Iranian government policies.
Evidence callout:
“CRESCENTHARVEST employs remote access trojans for silent data exfiltration and long-term persistence, primarily targeting Iranian protester networks.”
— Acronis TRU, 2025
Vendor corroboration comes from Microsoft’s MSTIC advisory, 2024 and Amnesty Tech, 2025 Investigative Bulletin, both reporting similar TTPs and target profiles. While many reports attribute the operation to actors linked to Iran’s government (including historical associations with APT33), some analysts emphasize attribution caveats due to overlapping Tactics, Techniques, and Procedures (TTPs) and potential false flags (Citizen Lab, 2024).
CRESCENTHARVEST Malware Analysis: Technical Summary
Confirmed TTPs (MITRE ATT&CK Reference)
- Initial Access: Spear-phishing emails, often using activist-related subject lines such as “Urgent: Protest Coordination” (Acronis TRU, 2025). T1566: Phishing
- Execution: Dropper embedded in ODT/PDF attachments; launches RAT process on victim device. T1204: User Execution
- Persistence: Registry autorun keys, scheduled task creation (“Updater_Mail”), and DLL sideloading. [T1547: Boot or Logon Autostart]
- Command & Control: HTTP(S) beaconing with traffic masking as legitimate encrypted app connections. C2 domains include
protest-coord[.]com,iran-news[.]net(confirmed in IOC summaries). [T1071: Application Layer Protocol] - Credential Access: Keylogging, browser credential harvesting; targeting Chrome/Firefox login vaults. [T1110: Brute Force]
- Exfiltration: Automated file grab of documents, encrypted messaging app logs, screenshots; outbound via compressed ZIP over TLS. [T1041: Exfiltration Over Command and Control Channel]
Detection signals:
- Outbound HTTPS to known C2 domains/IPs (Acronis: 185.220.70.30, 94.140.115.47).
- Scheduled tasks labeled suspiciously (e.g., “Updater_Mail”).
- Unusual process injection into Telegram, Signal, WhatsApp executables.
- File access spikes in "Documents" folders during idle hours.
Evidence callout:
“Malware persistence relies on registry autoruns and scheduled tasks; outbound traffic is disguised as encrypted chat app activity.”
— Microsoft MSTIC, 2024
Indicators of Compromise (IOCs)
- Malicious emails: Subjects like “Protest Coordination Update” or “Legal Aid - URGENT”
- C2 domains:
protest-coord[.]com,iran-news[.]net,activist-log[.]org - File hashes: Provided in Acronis IOC feed.
For safety, only use IOCs published by vetted vendors or your trusted CERT. Do not hunt based on live indicators unless your team is authorized.
How RATs Target Activists: Real-World Scenario
A Tehran-based journalist reports receiving urgent legal information over email. The attached PDF, when opened, triggers a RAT installation. Within minutes, browser credentials, encrypted chat logs, and personal contacts are quietly exfiltrated. Days later, colleagues experience targeted intimidation—confirming distributed compromise via shared devices and accounts (Amnesty Tech, 2025).
Bullet summary:
- Targeting activists via contextual phish.
- Silent data theft, surveillance, and intimidation.
- C2 traffic disguises itself as chat app pings.
Attribution & Evidence
Multiple vendor reports have linked CRESCENTHARVEST-style campaigns to Iranian actors, primarily referencing APT33 and related threat clusters (Microsoft MSTIC, 2024; Acronis TRU, 2025). Attribution is based on infrastructure overlap, coding conventions, historical targeting patterns, and malware signatures consistent with prior Iranian campaigns (CERT-IL Advisory, 2024).
Attribution caveats:
- False flag operations are increasingly plausible, as noted by Citizen Lab, 2024.
- Evidence remains circumstantial; no consensus on exclusive Iranian state responsibility.
Evidence callout:
“Infrastructure overlap with prior APT33 operations is apparent; attribution remains contested.”
— Citizen Lab, 2024
Bullet summary:
- Attribution leans Iranian, but contested by credible NGOs.
- Disinformation tactics complicate conclusive assignment.
Impact on Activists: Operational Consequences
- Compromised devices give adversaries direct access to private planning, contacts, and encrypted communications.
- Surveillance creates persistent psychological stress and suspicion among protest networks.
- Exposed chat logs and credentials have led to targeted intimidation, arrests, and organizational disruption (Amnesty Tech, 2025).
- Weaknesses in popular encrypted apps exposed; threat actors focus on endpoint compromises rather than cryptographic attacks.
Bullet summary:
- Surveillance undermines trust and operational security.
- RAT malware exploits endpoints, not crypto tech.
- Real-world harassment and intimidation stem from digital compromises.
Mitigation Steps for Targeted Individuals
Immediate Containment
- Isolate device: Disconnect from internet and power down.
- Change credentials: Reset critical account passwords from a clean device; enable 2FA where possible.
- Notify contacts: Alert trusted partners of potential compromise.
Evidence Preservation
- Preserve device/system state for forensic review (avoid resetting or reformatting).
- Document suspicious activity and retain relevant emails/files.
- Contact trusted digital rights organizations: Amnesty Tech, Citizen Lab, EFF Emergency Support.
Long-term Risk Reduction
- Adopt vetted secure-communication apps (EFF Surveillance Self-Defense Guide).
- Practice threat-model-based OPSEC (avoid device sharing, use hardware 2FA keys).
- Regularly audit devices with approved anti-malware tools and remain skeptical of unsolicited attachments.
Evidence-supported checklist:
- Disconnect, reset, preserve.
- Contact trusted orgs and CERT.
- Favor vetted, up-to-date security apps.
What Organizations Should Do: Security Teams
- Collect telemetry: Monitor outbound HTTPS and unexpected scheduled tasks; prioritize signals listed in vendor reports.
- Leverage detection rules: Implement Sigma detection rules and YARA signatures (if available).
- Harden infrastructure: Enforce least-privilege principles, endpoint isolation, and continuous staff phishing-awareness training.
- Report findings: Share IOCs and findings with local CERT and reputable threat intelligence sharing platforms.
Security team bullet points:
- Centralize and monitor telemetry for C2/IP patterns.
- Deploy current Sigma/YARA rules.
- Enforce endpoint/credential hygiene and escalate findings.
Operational Safety Note
Individuals at risk of targeting should consult with digital emergency response providers (EFF, Amnesty, Citizen Lab) rather than follow ad-hoc online security advice. If approached for evidence or forensic review, confirm the authenticity and confidentiality of the analyst or responder.
Methodology
Analysis compiled from vendor threat intelligence reports, documented IOCs, and NGO investigations. Incident response perspective informed by prior hands-on forensic investigations, malware reverse engineering, and on-site crisis support. No conflicts of interest; all referenced sources independently vetted.
Sources & Further Reading
- Acronis TRU CRESCENTHARVEST Report, 2025
- Microsoft MSTIC Iran APT33 Targeting, 2024
- Amnesty Tech: Iran Activist Malware, 2025
- Citizen Lab: Iranian Attribution Caveats, 2024
- EFF Surveillance Self-Defense
- CERT-IL Iranian Activist Malware Advisory, 2024
- Sigma Rule Repository (CRESCENTHARVEST)
- YARA Rules (CRESCENTHARVEST)
Last updated: 2025-06-10
For verification and expert consultation, see links in "Sources & Further Reading."