Campaigns
Crescentharvets Campaign Targets Iranian Protest Supporters

Crescentharvets Campaign Targets Iranian Protest Supporters

CRESCENTHARVESTRATremote access trojaninformation stealersocial engineeringLNK filesDLL side-loadingcredential harvestingservicelog-information[.]comRedKittenSloppyMIO
The CRESCENTHARVEST campaign targets supporters of Iranian protests using a remote access trojan (RAT) and information stealer to steal information and conduct espionage. The campaign uses social engineering techniques with Farsi-language content related to the protests to lure victims.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION


T1036 - Masquerading


ID

Name

Analytic ID

Analytic Description

DET0127

Behavioral Detection of Masquerading Across Platforms via Metadata and Execution Discrepancy

AN0355

Adversary renames LOLBINs or deploys binaries with spoofed file names, internal PE metadata, or misleading icons to appear legitimate. File creation is followed by execution or service registration inconsistent with known usage.

AN0356

Adversary drops renamed binaries in uncommon directories (e.g., /tmp, /dev/shm) or uses special characters in names (e.g., trailing space, Unicode RLO). Execution or cronjob registration follows shortly after file drop.

AN0357

Adversary creates disguised launch daemons or apps with misleading names and bundle metadata (e.g., Info.plist values inconsistent with binary path or icon). Launch is correlated with user logon or persistence setup.

AN0358

Adversary uses renamed container images, injects files into containers with misleading names or metadata (e.g., renamed system binaries), and executes them during startup or scheduled jobs.

AN0359

Adversary places scripts or binaries with misleading names in /etc/rc.local.d or /var/spool/cron, or registers services with legitimate-sounding names not present in default ESXi builds.


T1176 - Browser Extensions


ID

Name

Analytic ID

Analytic Description

DET0044

Detecting Malicious Browser Extensions Across Platforms

AN0123

Installation of a new browser extension followed by suspicious file writes or outbound network connections to untrusted domains by the browser process.

AN0124

Installation of malicious .mobileconfig profiles or browser extension plist entries followed by abnormal browser child process activity.

AN0125

Manual or scripted installation of Chrome extensions using user scripts or config files, followed by unexpected network connections from browser processes.


T1083 - File and Directory Discovery


ID

Name

Analytic ID

Analytic Description

DET0370

Recursive Enumeration of Files and Directories Across Privilege Contexts

AN1040

Execution of file enumeration commands (e.g., 'dir', 'tree') from non-standard processes or unusual user contexts, followed by recursive directory traversal or access to sensitive locations.

AN1041

Use of file enumeration commands (e.g., 'ls', 'find', 'locate') executed by suspicious users or scripts accessing broad file hierarchies or restricted directories.

AN1042

Execution of file or directory discovery commands (e.g., 'ls', 'find') from terminal or script-based tooling, especially outside normal user workflows.

AN1043

Execution of esxcli commands to enumerate datastore, configuration files, or directory structures by unauthorized or remote users.

AN1044

Execution of file discovery commands (e.g., 'dir', 'show flash', 'nvram:') from CLI interfaces, especially by unauthorized users or from abnormal source IPs.


T1560 - Archive Collected Data


ID

Name

Analytic ID

Analytic Description

DET0526

Detect Archiving and Encryption of Collected Data (T1560)

AN1458

Detects adversarial archiving of files prior to exfiltration by correlating execution of compression/encryption utilities (e.g., makecab.exe, rar.exe, 7z.exe, powershell Compress-Archive) with subsequent creation of large compressed or encrypted files. Identifies abnormal process lineage involving crypt32.dll usage, command-line arguments invoking compression switches, and file write operations to temporary or staging directories.

AN1459

Detects adversarial archiving activity through invocation of utilities like tar, gzip, bzip2, or openssl used in non-administrative or unusual contexts. Correlates command execution patterns with file creation of compressed/encrypted outputs in staging directories (e.g., /tmp, /var/tmp).

AN1460

Detects use of macOS-native archiving or encryption tools (zip, ditto, hdiutil) for staging collected data. Identifies unexpected invocation of archive utilities by Office apps, browsers, or background daemons. Correlates file creation of .zip/.dmg containers with process lineage anomalies.


T1090 - Proxy


ID

Name

Analytic ID

Analytic Description

DET0445

Detection of Proxy Infrastructure Setup and Traffic Bridging

AN1229

Suspicious process spawning (e.g., rundll32, svchost, powershell, or netsh) followed by network connection creation to internal hosts or uncommon external endpoints on high or non-standard ports.

AN1230

User-space tools (e.g., socat, ncat, iptables, ssh) used in non-standard ways to establish reverse shells, port-forwarding, or inter-host connections. Often chained with uncommon outbound destinations or SSH tunnels.

AN1231

AppleScript, LaunchAgents, or remote login services (ssh, networksetup) establishing proxy tunnels or dynamic port forwards to external IPs or alternate local hosts.

AN1232

Direct use of nc, socat, or reverse tunnel scripts initiated by abnormal user contexts or unauthorized VIBs initiating connections from hypervisor to external systems.

AN1233

Dynamic or static port forwarding rules added to route traffic through an internal host, or configuration changes to proxy firewall rules not aligned with baselined policy.


T1566 - Phishing


ID

Name

Analytic ID

Analytic Description

DET0070

Detection Strategy for Phishing across platforms.

AN0188

Unusual inbound email activity where attachments or embedded URLs are delivered to users followed by execution of new processes or suspicious document behavior. Detection involves correlating email metadata, file creation, and network activity after a phishing message is received.

AN0189

Monitor for malicious payload delivery through phishing where attachments or URLs in email clients (e.g., Thunderbird, mutt) result in unusual file creation or outbound network connections. Focus on correlation between mail logs, file writes, and execution activity.

AN0190

Detection of phishing through anomalous Mail app activity, such as attachments saved to disk and immediately executed, or Safari/Preview launching URLs and files linked from email messages. Correlate UnifiedLogs events with subsequent process execution.

AN0191

Phishing via Office documents containing embedded macros or links that spawn processes. Detection relies on correlating Office application logs with suspicious child process execution and outbound network connections.

AN0192

Phishing attempts targeting IdPs often manifest as anomalous login attempts from suspicious email invitations or fake SSO prompts. Detection correlates login flows, MFA bypass attempts, and anomalous geographic patterns following phishing email delivery.

AN0193

Phishing delivered via SaaS services (chat, collaboration platforms) where messages contain malicious URLs or attachments. Detect anomalous link clicks, suspicious file uploads, or token misuse after SaaS-based phishing attempts.


T1140 - Deobfuscate/Decode Files or Information


ID

Name

Analytic ID

Analytic Description

DET0275

Detect Adversary Deobfuscation or Decoding of Files and Payloads

AN0767

An adversary leverages built-in tools such as certutil.exe, powershell.exe, or copy.exe to decode, reassemble, or extract hidden malicious content from obfuscated containers or encoded formats. The decoding utility often spawns shortly after file staging or download and may be chained with script interpreters or further payload execution.

AN0768

The adversary uses native utilities like base64, gzip, tar, or openssl to decode, decompress, or decrypt files that were previously staged or downloaded. These tools may be chained with curl/wget and executed via bash/zsh, often to extract an embedded payload or reverse shell script.

AN0769

The adversary invokes built-in scripting or decoding tools like base64, plutil, or AppleScript-based utilities to decode files embedded in staging artifacts. Decoding often occurs post-download or as part of post-exploitation payload deployment via zsh, python, or osascript.


T1546 - Event Triggered Execution


ID

Name

Analytic ID

Analytic Description

DET0010

Behavioral Detection of Event Triggered Execution Across Platforms

AN0024

Correlates unexpected modifications to WMI event filters, scheduled task triggers, or registry autorun keys with subsequent execution of non-standard binaries by SYSTEM-level processes.

AN0025

Detects inotify or auditd configuration changes that monitor system files coupled with execution of script interpreters or binaries by cron or systemd timers.

AN0026

Correlates launchd plist modifications with subsequent unauthorized script execution or anomalous parent-child process trees involving user agents.

AN0027

Monitors cloud function creation triggered by specific audit log events (e.g., IAM changes, object creation), followed by anomalous behavior from new service accounts.

AN0028

Correlates Power Automate or similar logic app workflows triggered by SaaS file uploads or email rules with data forwarding or anomalous access patterns.

AN0029

Detects macros or VBA triggers set to execute on document open or close events, often correlating with embedded payloads or C2 traffic shortly after execution.


T1056 - Input Capture


ID

Name

Analytic ID

Analytic Description

DET0102

Behavioral Detection of Input Capture Across Platforms

AN0282

Monitors for abnormal process behavior and API calls like SetWindowsHookEx, GetAsyncKeyState, or device input polling commonly used for keystroke logging.

AN0283

Detects use of tools/scripts accessing input devices like /dev/input/* or evdev via suspicious processes lacking GUI context.

AN0284

Monitors for TCC-bypassing or unauthorized access to input services like IOHIDSystem or Quartz Event Services used in keylogging or screen monitoring.

AN0285

Detects web-based credential phishing by analyzing traffic to suspicious URLs that mimic login portals and POST credential content.


T1547 - Boot or Logon Autostart Execution


ID

Name

Analytic ID

Analytic Description

DET0274

Boot or Logon Autostart Execution Detection Strategy

AN0764

Correlation of registry key modification for Run/RunOnce with abnormal parent-child process relationships and outlier execution at user logon or system startup

AN0765

Correlates creation/modification of systemd service files or /etc/init.d scripts with outlier process behavior during boot

AN0766

Observes creation or modification of LaunchAgent/LaunchDaemon property list files combined with anomalous plist payload execution after user logon


Observed Countries1

IR (932)