Hackers target supporters of Iran protests in new espionage campaign

Steven

Hackers target supporters of Iran protests in new espionage campaign

Summary

Swiss cybersecurity firm Acronis uncovered a cyber-espionage campaign that began in early January, timed with nationwide anti-government protests in Iran. Attackers distributed archives containing authentic protest footage and a Farsi-language report; two items in the archive acted as trojanised bait and delivered a previously undocumented malware family dubbed CRESCENTHARVEST.

CRESCENTHARVEST functions as a remote access trojan and information stealer: it can execute commands, log keystrokes, and harvest sensitive data such as saved credentials, browsing history, cookies and Telegram account information. The malware detects installed antivirus products and adjusts its behaviour to either act aggressively on poorly protected systems or minimise activity to avoid detection.

Acronis assesses the operator is likely Iranian-aligned based on code, infrastructure and techniques. The campaign appears tailored to Farsi-speaking supporters of the protests — particularly those outside Iran or their international supporters — exploiting demand for trusted information during internet blackouts. Initial infection vectors are unclear but are likely spear-phishing or prolonged social engineering to build trust before delivering malicious files.

Key Points

  • The campaign was discovered by Acronis and began in early January, linked to Iran protest coverage.
  • Attackers bundled real protest media with malicious files to lure targets with relevant, Farsi-language content.
  • New malware family CRESCENTHARVEST acts as a remote access trojan and information stealer.
  • Capabilities include command execution, keystroke logging and theft of credentials, cookies, browsing history and Telegram data.
  • The malware detects antivirus software and adapts its behaviour to avoid detection or be more aggressive on weakly protected systems.
  • Acronis judges the threat actor is likely aligned with Tehran; victims are primarily Farsi-speaking protesters, activists, journalists and supporters abroad.
  • Infection likely begins with spear-phishing or long-term social engineering rather than mass indiscriminate distribution.

Context and Relevance

This campaign highlights a recurring trend: state-aligned or nation-linked actors weaponising crises and information blackouts to target communities seeking reliable news. Tailored lures in the local language and familiar media increase the chance of successful compromise, especially when audiences are hungry for situational awareness.

For security teams, journalists and activists, the incident underlines the need for stronger operational security: verify sources, avoid opening unsolicited archives or media, keep systems and AV up to date, segregate sensitive communications onto dedicated devices, and use end-to-end encrypted channels for coordination where possible. The targeting of diaspora and supporters also shows that geographic distance does not guarantee safety from politically motivated cyber-espionage.

Why should I read this

Short version: there’s a fresh bit of nastiness called CRESCENTHARVEST being spread in files that look like protest footage. If you follow or support Iran protests, handle any unexpected Farsi-language reports or media with extreme caution. This quick read saves you time and might stop someone you know from opening the wrong file.

Source

Source: https://therecord.media/hackers-target-iran-protest-supporters-cyber-campaign