CRESCENTHARVEST
CRESCENTHARVEST is a Windows malware payload (implemented as a sideloaded DLL, notably as version.dll) that functions as both a remote access trojan (RAT) and information stealer. It has been reported by Acronis TRU in a campaign assessed as likely Iran-aligned and targeting Iranian citizens domestically and abroad, including supporters of Iran’s ongoing protests, for information theft and long-term espionage.
Infection chain / delivery: Victims are lured with protest-themed content delivered in a RAR archive containing legitimate images/videos and malicious Windows shortcut files using double extensions (e.g., *.jpg.lnk, *.mp4.lnk). When executed, the LNK launches a PowerShell-based chain (including nested headless conhost.exe, cmd.exe, and PowerShell) that drops/extracts an embedded ZIP to %TEMP% and displays benign decoy media to reduce suspicion. Persistence is established via a scheduled task triggered by Windows NetworkProfile connectivity events (EventID 10000). The final payload is deployed via DLL sideloading (DLL search order hijacking) using a legitimate Google-signed executable software_reporter_tool.exe (Chrome cleanup utility; certificate noted as expired in 2024) to load malicious DLLs including version.dll (CRESCENTHARVEST) and urtcbased140d_d.dll.
Capabilities / behavior: CRESCENTHARVEST supports command execution and host profiling, including enumerating installed antivirus/security tools via WMI (root\SecurityCenter2) and enumerating local user accounts via NetUserEnum. It performs keylogging using a low-level keyboard hook (SetWindowsHookExA with WH_KEYBOARD_LL), appending keystrokes to C:\Windows\System32\spool\Drivers\color\daT.txt and exfiltrating the file when it approaches ~2,000 bytes before deleting it. It steals browser data (credentials, cookies, history) from browsers including Chrome, Edge, and Firefox, staging data under Windows Temp (including a sysdriver directory) for exfiltration. It also targets Telegram Desktop by copying session/profile data to C:\Windows\Temp\tdata, compressing it, uploading it, and removing traces.
Related module: The sideloaded urtcbased140d_d.dll is described as a C++ implant that extracts and decrypts Chrome app-bound encryption keys (via COM interfaces and the browser Local State file), writes a decrypted key to decrypted_appbound_key.txt under APPDATA, and shares the recovered key to another local process via a named pipe to enable decryption of stolen browser data. Acronis noted overlap with the open-source project ChromElevator.
C2 / network: CRESCENTHARVEST uses WinHTTP and JSON-based C2 over HTTPS, periodically beaconing with content such as {"Identifier":"admin"} and receiving responses like {"action":"ok"} or action commands. Reported C2 infrastructure includes servicelog-information[.]com and IP 185.242.105.230.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
30 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
2 techniques
Initial Access
Execution
7 techniques
Execution
"establishes persistence by creating a scheduled task... configured to execute in response to a Windows NetworkProfile event (EventID 10000)"
Supported commands include: "shell , to run shell commands" and "to execute commands"
"contains PowerShell code to retrieve another ZIP archive"; command list includes "ps , to run PowerShell commands (not working)"
"spawn cmd.exe, which in turn launches PowerShell"; "shell Shell command execution"
"two of the files in this archive are malicious .LNK shortcuts disguised as benign media content... each of the files contains a malicious script which will run upon execution of the file."
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
6 techniques
Stealth
"performs PEB walking to avoid static API imports... traversing the InMemoryOrderModuleList to locate kernel32.dll... applying a simple XOR decryption routine... resolving the API."
"masquerade as an image or a video file by using the double extension trick (*.jpg.lnk or *.mp4.lnk)"
"deletes the evidence... DeleteFileA"; "After exfiltration, the malware deletes all traces by recursively removing the staging directory and archive."
Credential Access
4 techniques
Credential Access
"implements a Windows low-level keyboard hook (WH_KEYBOARD_LL)... registers this hook via SetWindowsHookExA... appends to... daT.txt... uploads it to C2"
Discovery
6 techniques
Discovery
"reads the NtBuildNumber... to determine the Windows version and build number... performs extensive target enumeration, including... public IP, username, region"
"enumerates local user accounts on the device"; command: "GetUser , to get user information"
"GetUsers command enumerates all local user accounts... using NetUserEnum()... returns a JSON-formatted list to C2"
Collection
3 techniques
Collection
"detect and steal complete Telegram Desktop account data... copies the entire profile to C:\Windows\Temp\tdata , compresses it into a ZIP file, and uploads it"
Command and Control
3 techniques
Command and Control
"employs Windows Win HTTP APIs to communicate with its command-and-control (C2) server (servicelog-information[.]com), allowing it to blend in with regular traffic"
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Dual-purpose remote access trojan and information stealer delivered via DLL sideloading (using a signed Google executable), with command execution, keylogging, and data exfiltration capabilities.
Remote access tool and information stealer delivered via LNK files and DLL sideloading (using a legitimate Google-signed Chrome cleanup binary). Supports command execution, system and user enumeration, keylogging, and theft of browser data (history, cookies, credentials) and Telegram Desktop session data; communicates to C2 over WinHTTP.
Windows backdoor used in a campaign targeting Iranian citizens (domestic and diaspora), particularly individuals linked to anti-government protests.
Custom implant deployed via malicious .LNK lures and DLL sideloading using a signed Google Software Reporter Tool binary. Implements two main modules: (1) decrypts Chrome app-bound encryption keys via COM elevation broker and passes them via named pipe; (2) backdoor/stealer (keylogging via WH_KEYBOARD_LL, browser credential/cookie/history theft for Chrome/Edge/Firefox, Telegram Desktop session theft, system/AV enumeration via WMI, host profiling, command execution, file exfiltration) with some anti-analysis (Job Objects 'Process on a Diet', PEB-walking/dynamic API resolution). Communicates with C2 over HTTPS using JSON and WinHTTP/WinINet APIs.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.