Hackers target supporters of Iran protests in new espionage campaign
Hackers believed to be aligned with Tehran are targeting supporters of Iran’s anti-government protests in a new cyberespionage campaign, researchers have found.
The campaign, discovered by Swiss cybersecurity firm Acronis, began in early January, shortly after mass nationwide demonstrations erupted across Iran calling for an end to the Islamic Republic system.
Researchers said the attackers likely took advantage of a spike in demand for information after authorities imposed sweeping internet blackouts across the country to limit coverage of the unrest.
The threat actor distributed malicious files bundled with authentic protest footage and a Farsi-language report described as providing updates from “the rebellious cities of Iran.” Two files in the archive, disguised as a video and an image, delivered a previously undocumented malware strain that researchers dubbed CRESCENTHARVEST.
The malware functions as both a remote access trojan and an information stealer. It is capable of executing commands, logging keystrokes and extracting sensitive data, including saved credentials, browsing history, cookies and Telegram account information.
It can also detect installed antivirus software, allowing it to adjust its behavior — becoming more aggressive on poorly protected systems or minimizing activity to avoid detection.
While the group behind the campaign has not been identified, Acronis said the attackers’ code, infrastructure and methods suggest links to an Iranian-aligned threat actor.
“Amid ongoing political turmoil, this campaign appears specifically crafted to target Farsi-speaking Iranians sympathetic to the protests, though activists, journalists, and others seeking reliable information from within Iran may also be at risk,” researchers said.
Given the ongoing internet blackout in Iran, the campaign is more likely aimed at Iranians abroad or their supporters rather than domestic targets, they added.
The initial infection method remains unclear, though researchers assess that the campaign likely began with spear-phishing or prolonged social engineering efforts designed to build trust before delivering the malicious files.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.