Unmasking CRESCENTHARVEST: How a Silent RAT Campaign Targets Iran Protesters

In the volatile intersection of geopolitical unrest and digital warfare, activists and supporters of political movements often find themselves on the front lines of a different kind of battle. Cybersecurity researchers at the Acronis Threat Research Unit (TRU) have uncovered a chilling new campaign, dubbed CRESCENTHARVEST, specifically designed to exploit this vulnerability.

This sophisticated operation targets individuals supporting the ongoing protests in Iran. The goal is not just disruption, but long-term espionage and information theft. By deploying a Remote Access Trojan (RAT), the attackers behind CRESCENTHARVEST are gaining total control over victim devices, turning personal computers into listening devices.

The CRESCENTHARVEST Campaign: A Deep Dive

Activity attributed to CRESCENTHARVEST was observed shortly after January 9, aligning closely with periods of heightened civil unrest. The attackers leverage the emotional urgency of the protests, distributing lures—likely malicious documents disguised as protest guides, leaked information, or security manifestos—to trick users into execution.

The Attack Vector

1. The Lure: Victims are targeted via social engineering, receiving files that appear relevant to the Iran protests.
2. The Payload: Upon opening the malicious file, a script triggers the download and execution of a Remote Access Trojan (RAT).
3. The Objective: Once established, the RAT provides the attacker with comprehensive capabilities, including:
   • Keylogging: Stealing passwords and credentials.
   • Screen Capture: Monitoring victim activity in real-time.
   • File Exfiltration: Stealing sensitive documents and personal data.
   • Remote Control: Using the victim's webcam or microphone for physical surveillance.

This is a classic case of "targeted espionage," where the malware is tailored to infiltrate a specific demographic rather than a broad, automated spray-and-pray approach. The precision suggests a high level of operational security by the threat actors, aiming to maintain persistent access for as long as possible without detection.

Threat Hunting & Detection

Detecting a RAT like CRESCENTHARVEST requires looking beyond simple antivirus signatures. We must hunt for the behaviors associated with persistent remote access. Below are methods to hunt for indicators of compromise (IOCs) and behavioral patterns associated with this campaign.

1. KQL Queries (Microsoft Sentinel/Defender)

Hunt for suspicious PowerShell execution chains often used to stage RATs. Look for base64 encoded commands or hidden window styles.

DeviceProcessEvents

| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has "FromBase64String" or ProcessCommandLine has "Invoke-Expression"
| where ProcessCommandLine has "-WindowStyle Hidden" or ProcessCommandLine has "-NonInteractive"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName
| extend URLExtract = extract("(http[s]?://\\S+)", 1, ProcessCommandLine)
| where isnotempty(URLExtract)

2. PowerShell Script (Windows Hunting)

Use this script on endpoints to check for suspicious persistence mechanisms in the Registry, specifically looking for unsigned binaries launching from user directories.

<#
.SYNOPSIS
    Hunts for suspicious Run keys often used by RATs for persistence.
#>

$Paths = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Path in $Paths) {
    if (Test-Path $Path) {

        Get-ItemProperty $Path -ErrorAction SilentlyContinue | 
        Get-Item | 
        Select-Object -ExpandProperty Property | 

        ForEach-Object {
            $Value = (Get-ItemProperty -Path "$Path" -Name $_).$_
            # Flag values pointing to AppData/Temp or obscure locations
            if ($Value -match "AppData" -or $Value -match "Temp" -or $Value -match "public") {

                Write-Host "[SUSPICIOUS] Path: $Path" -ForegroundColor Yellow
                Write-Host "    Key: $_" -ForegroundColor Cyan
                Write-Host "    Value: $Value" -ForegroundColor Cyan

            }
        }
    }
}

3. Python Script (Fingerprinting)

A lightweight script to scan processes for common RAT characteristics, such as hiding window visibility or connecting to non-standard ports.

import psutil
import socket


SUSPICIOUS_PORTS = [4444, 5552, 6666, 8080] # Common RAT ports


def hunt_rats():

    print("[*] Hunting for potential RAT processes...")
    for proc in psutil.process_iter(['pid', 'name', 'exe', 'connections']):
        try:
            # Check for hidden windows or suspicious names
            if proc.info['name'] and (
                "update" in proc.info['name'].lower() or 
                "system" in proc.info['name'].lower()
            ):
                # Check network connections
            connections = proc.connections(kind='inet')
            for conn in connections:
                if conn.status == 'ESTABLISHED':
                    if conn.raddr and conn.raddr.port in SUSPICIOUS_PORTS:
                        print(f"[!] SUSPICIOUS: {proc.info['name']} (PID: {proc.info['pid']})")
                        print(f"    Connected to: {conn.raddr.ip}:{conn.raddr.port}")
        except (psutil.NoSuchProcess, psutil.AccessDenied, psutil.ZombieProcess):
            pass

if __name__ == "__main__":
    hunt_rats()

Mitigation Strategies

To defend against targeted campaigns like CRESCENTHARVEST, organizations and individuals must adopt a zero-trust mindset:

1. Application Allowlisting: Prevent unsigned or unknown applications from executing in sensitive directories (e.g., %AppData%, %Temp%).
2. Macro Security: Disable macros for users who do not explicitly require them for their daily tasks.
3. Network Segmentation: Restrict the ability of endpoints to initiate outbound connections to non-corporate IPs and ports unless necessary.
4. User Education: Train users to recognize social engineering lures, especially those related to urgent political or social events.

Security Arsenal: Your Shield Against Espionage

Targeted espionage campaigns like CRESCENTHARVEST bypass standard automated defenses by relying on human psychology and subtle persistence mechanisms. To stay ahead of these threats, you need a partner who understands the tactics of modern adversaries.

At Security Arsenal, our Red Teaming services simulate these exact targeted attack vectors, testing your organization's ability to detect and respond to sophisticated social engineering and malware deployment. Furthermore, our Managed Security solutions provide 24/7 monitoring, ensuring that even the quietest RAT—like those in the CRESCENTHARVEST campaign—is detected before it can steal your data.

Don't wait for the breach to happen. Secure your perimeter with Security Arsenal today.