Home > Security > Security News

Threat Actors Target Iran Protest Supporters with New Malware in Cyberespionage Campaign

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Hacker - Iran - Protest
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • New Malware: A cyberespionage campaign targeting supporters of Iranian protests is deploying a previously undocumented malware strain designated CRESCENTHARVEST.
  • Attack Vector: The malware is distributed through files bundled with legitimate protest footage, employing social engineering tactics to execute the malicious payload.
  • Suspected Origin: Security researchers attribute the campaign to Iranian-aligned threat actors, architected to conduct surveillance operations against Farsi-speaking individuals in diaspora communities.

Supporters of Iran's anti-government protests are actively targeting via a sophisticated cyberespionage campaign that deploys a newly identified malware strain. The campaign debuted in early January, leveraging information scarcity caused by nationwide internet infrastructure disruptions. 

Threat actors are distributing weaponized files masquerading as legitimate protest videos and intelligence reports. These vectors deliver an advanced malware variant, CRESCENTHARVEST, engineered for comprehensive data exfiltration.

CRESCENTHARVEST Malware Capabilities

The CRESCENTHARVEST malware functions as a hybrid remote access trojan (RAT) and infostealer, according to threat intelligence analysis from Swiss cybersecurity firm Acronis. Upon successful deployment via DLL sideloading using a signed Google executable file, it maintains persistent access for remote command execution.

The observed attack chain | Source: Acronis
The observed attack chain | Source: Acronis

The implant hardcodes and organizes paths at startup, establishing a structured and modular command-and-control (C2) framework, allowing the threat actor to “remotely control individual capabilities and selectively activate data collection, reconnaissance or persistence features.”

The files sent to the victim include a report and media files depicting the ongoing protests in Iran | Source: Acronis
The files sent to the victim include a report and media files depicting the ongoing protests in Iran | Source: Acronis

Target data includes stored browser credentials, browsing history artifacts, and Telegram sessions. Researchers concluded these capabilities indicate development by Iranian-aligned advanced persistent threat (APT) actors.

Cybersecurity for Activists and Targeted Groups

Considering the telecommunications infrastructure restrictions implemented within Iran, security researchers assess that the campaign primarily targets Farsi-speaking Iranian nationals residing in foreign jurisdictions, along with journalists and human rights activists monitoring protest developments. 

The report suggests the primary infection method may be spear-phishing or protracted social engineering to establish trust before payload delivery. 

In other recent news, a high-speed ClickFix campaign delivered Matanbuchus 3.0 Malware and the new AstarionRAT. Earlier this month, cybersecurity researchers observed state-aligned actors exploiting Iranian protest unrest in a RedKitten AI-accelerated campaign 

Add a Comment
Related
Cryptojacking
Malicious Gemini AI Chatbot Sells Fake Google Coin in Scam Campaign
Police - Hacker - Arrest - Handcuffs
Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Angolan Journalist Teixeira Candido Targeted with Predator Spyware in Surveillance Campaign
passport
Abu Dhabi Finance Week Data Leak Exposes Global Figures' Passport Information in Cloud Server Lapse
OpenClaw
15 OpenClaw Security Flaws Disclosed as AI Agent Platform Sees Rapid Enterprise Adoption
ClickFix
ClickFix Infection Delivers Matanbuchus 3.0 Malware and New AstarionRAT in High-Speed Intrusion
Most Popular
Cryptojacking
Malicious Gemini AI Chatbot Sells Fake Google Coin in Scam Campaign
Police - Hacker - Arrest - Handcuffs
Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Angolan Journalist Teixeira Candido Targeted with Predator Spyware in Surveillance Campaign
passport
Abu Dhabi Finance Week Data Leak Exposes Global Figures' Passport Information in Cloud Server Lapse
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation
Malicious Gemini AI Chatbot Sells Fake Google Coin in Scam Campaign
Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Angolan Journalist Teixeira Candido Targeted with Predator Spyware in Surveillance Campaign
Abu Dhabi Finance Week Data Leak Exposes Global Figures' Passport Information in Cloud Server Lapse
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation

Most Popular
Cryptojacking
Malicious Gemini AI Chatbot Sells Fake Google Coin in Scam Campaign
Police - Hacker - Arrest - Handcuffs
Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Angolan Journalist Teixeira Candido Targeted with Predator Spyware in Surveillance Campaign
passport
Abu Dhabi Finance Week Data Leak Exposes Global Figures' Passport Information in Cloud Server Lapse
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation
Malicious Gemini AI Chatbot Sells Fake Google Coin in Scam Campaign
Phobos Ransomware Affiliate Arrested in Poland in Global Crackdown
Angolan Journalist Teixeira Candido Targeted with Predator Spyware in Surveillance Campaign
Abu Dhabi Finance Week Data Leak Exposes Global Figures' Passport Information in Cloud Server Lapse
Spain Court Orders ProtonVPN and NordVPN Blocks During LaLiga Matches, Raising Concerns for Users
UK Government Considers Age Restrictions on Children’s VPN Use After Consultation

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: