CRESCENTHARVEST: Iranian Protestors and Dissidents Targeted in Cyberespionage Campaign

Date: 03/04/2026

Severity: Critical

Summary

CRESCENTHARVEST is a targeted cyberespionage campaign using protest-themed lures to infect Farsi-speaking individuals with malicious .LNK files disguised as media content. The malware, deployed via DLL sideloading with a signed Google executable, acts as a remote access trojan and information stealer capable of keylogging, command execution, and data exfiltration. The activity is likely linked to an Iranian-aligned threat group targeting protest supporters, activists, and journalists through sustained social engineering tactics.

Indicators of Compromise (IOC) List

URLs/Domain

servicelog-information.com

IP Address

185.242.105.230

Hash

1796a42fc6142f85334a143542b6ff02

54c4c82d21f7b187f0426a9d0cc9ff2c

6bf368664f3d7e50b37e9fbcc9f1c9bb

71d05331e226029ca11394e3beeddd19

80f0dbb51081fb568943c8f2e6874873

ba8075db751b2d06cbd87f886eb6a07f

f2750c3a8ee2dcc500fc22305c93820e

19ad46278a947c3755c491d16eff2eef2adbc8d5

2b31c4858157dd37cb061ba8839aa8fd881447a8

4e2d070a5511f13adf1499a0dad8db0ba4462879

5c453a9ed4757e6e62c49ae4ed389b85403fbc91

719df8cd094bf5f8d8cb309d127e1ab8edddecb9

c2500c5ea9f1dc02d49961630b62ee90215116de

f51b68128fff77f03b19522f4eaa1ceb58a89824

0fbc1f9cbacf076d2ced458e2d1afff0c615640a4647996bca2b651b80f90a6e

fc1319166cfb607402e9dcaf68ef13ce10f326dbb6ac406ef576e1c02e7404a9

bd8a48d4dc71552c790a44065cce77c7592f1d00e6cbe904af01f1d164d4dd78

03315debd0c7a253b59a6b447d0673aa3de84103ca3cd4d5b6148c018d90b39b

62c4814c88521619ec6bc42e93b88c23f6727e1413f312e53063cdf089c6bc58

e3cf12272d9103e4693333543b0f25840b18ac6bbea11d17202d752e6a49d707

dde9fec23a8db87842babb40c306ee6685a13de7a6a2d9f6dc65ed5ea5df87a3

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Detection Query 1 :	domainname like "servicelog-information.com" or siteurl like "servicelog-information.com" or url like "servicelog-information.com"
Detection Query 2 :	dstipaddress IN ("185.242.105.230") or srcipaddress IN ("185.242.105.230")
Detection Query 3 :	`md5hash IN ("1796a42fc6142f85334a143542b6ff02","54c4c82d21f7b187f0426a9d0cc9ff2c","6bf368664f3d7e50b37e9fbcc9f1c9bb","71d05331e226029ca11394e3beeddd19","80f0dbb51081fb568943c8f2e6874873","ba8075db751b2d06cbd87f886eb6a07f","f2750c3a8ee2dcc500fc22305c93820e")`
Detection Query 4 :	`sha1hash IN ("19ad46278a947c3755c491d16eff2eef2adbc8d5","2b31c4858157dd37cb061ba8839aa8fd881447a8","4e2d070a5511f13adf1499a0dad8db0ba4462879","5c453a9ed4757e6e62c49ae4ed389b85403fbc91","719df8cd094bf5f8d8cb309d127e1ab8edddecb9","c2500c5ea9f1dc02d49961630b62ee90215116de","f51b68128fff77f03b19522f4eaa1ceb58a89824")`
Detection Query 5 :	`sha256hash IN ("fc1319166cfb607402e9dcaf68ef13ce10f326dbb6ac406ef576e1c02e7404a9","e3cf12272d9103e4693333543b0f25840b18ac6bbea11d17202d752e6a49d707","dde9fec23a8db87842babb40c306ee6685a13de7a6a2d9f6dc65ed5ea5df87a3","03315debd0c7a253b59a6b447d0673aa3de84103ca3cd4d5b6148c018d90b39b","0fbc1f9cbacf076d2ced458e2d1afff0c615640a4647996bca2b651b80f90a6e","bd8a48d4dc71552c790a44065cce77c7592f1d00e6cbe904af01f1d164d4dd78","62c4814c88521619ec6bc42e93b88c23f6727e1413f312e53063cdf089c6bc58")`

Reference:

https://www.acronis.com/en/tru/posts/crescentharvest-iranian-protestors-and-dissidents-targeted-in-cyberespionage-campaign/#9d7cl13Chk
https://otx.alienvault.com/pulse/699d4956c999a529c5f2232b

CRESCENTHARVEST: Iranian Protestors and Dissidents Targeted in Cyberespionage Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

CRESCENTHARVEST: Iranian Protestors and Dissidents Targeted in Cyberespionage Campaign

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments