Hackers Are Baiting Iran's Dissidents With Real Protest Footage. It Is Malware

What Happened

Swiss cybersecurity firm Acronis has uncovered a cyberespionage campaign targeting supporters of Iran's anti government protest movement. The attackers are distributing authentic protest footage and Farsi language reports bundled with a previously undocumented malware strain that researchers have named CRESCENTHARVEST.

The campaign began in early January 2026, shortly after mass nationwide demonstrations erupted across Iran calling for an end to the Islamic Republic system. Authorities responded with sweeping internet blackouts, creating a desperate demand for information among Iranians inside and outside the country. The attackers exploited that demand.

Files shared with potential victims included real video footage from the protests and a Farsi language document described as providing "updates from the rebellious cities of Iran." Two files in the archive, disguised as a video and an image, were the actual malware payload.

How CRESCENTHARVEST Works

CRESCENTHARVEST is both a remote access trojan and an information stealer, a combination that gives its operators persistent surveillance access and the ability to extract data in bulk. Once installed, the malware can:

• Execute commands remotely on the infected device
• Log every keystroke, capturing passwords and private messages as they are typed
• Extract saved credentials from browsers and applications
• Harvest browsing history, cookies, and session tokens
• Steal Telegram account information, a messaging platform widely used by Iranian dissidents

The malware is also adaptive. It detects installed antivirus software and adjusts its behavior accordingly, becoming more aggressive on poorly protected systems while minimizing its footprint on machines with stronger defenses to avoid detection.

Who Is Being Targeted

The campaign specifically targets Farsi speaking individuals who have shown sympathy for Iran's protest movement. This includes activists, journalists, politicians, and ordinary citizens who have sought information about the demonstrations.

Given Iran's internet blackouts during the protests, the primary targets appear to be members of the Iranian diaspora and international supporters rather than individuals inside the country who lack reliable internet access. These are people who maintain connections with activists on the ground and serve as information conduits to the outside world.

The initial infection likely involves spear phishing or prolonged social engineering to build trust before delivering the malicious files. The use of authentic protest footage as bait makes the lure particularly convincing to people emotionally invested in the movement.

A Pattern of Digital Repression

CRESCENTHARVEST is the latest in a long series of cyber operations linked to Iranian aligned threat actors targeting dissidents and civil society. Previous campaigns include APT42's systematic targeting of journalists' Gmail credentials and operations against human rights organizations documenting abuses inside Iran.

What makes this campaign distinctive is the psychological sophistication of its delivery method. By wrapping malware inside the very content that protesters and their supporters are desperately seeking, the attackers transform solidarity into a vulnerability. Opening a file to learn about the movement becomes the mechanism for the state to surveil it.

While Acronis has not conclusively attributed the campaign to a specific group, the researchers noted that the attackers' code, infrastructure, and methods suggest links to an Iranian aligned threat actor.

Why Telegram Is a Key Target

CRESCENTHARVEST's focus on stealing Telegram account information is deliberate. Telegram is the primary communication platform for Iranian protest organizers, with channels serving as the main infrastructure for coordinating demonstrations, sharing evidence of government crackdowns, and distributing safety information.

Compromising a single Telegram account can expose entire networks of activists, their contacts, message histories, and group memberships. For a surveillance operation, a Telegram account breach is worth far more than email or social media credentials because it reveals the organizational structure of the movement itself.

How to Protect Yourself

If you are following Iran's protest movement or communicating with activists, these precautions can reduce your exposure:

• Never open files from unverified sources, even if they appear to contain legitimate protest content. Verify the sender through a separate communication channel first
• Be cautious of archives containing multiple file types. A folder with a video, an image, and a document is a common malware distribution pattern
• Enable two factor authentication on Telegram using a strong, unique password rather than SMS verification
• Use Telegram's secret chats feature for sensitive conversations, as these use end to end encryption and are not stored on Telegram's servers
• Keep your operating system and antivirus software updated. CRESCENTHARVEST adjusts its behavior based on detected security tools, so maintaining current defenses forces the malware into its less aggressive mode
• Consider using a separate device or virtual machine for viewing protest related content from unknown sources

The CRESCENTHARVEST campaign is a reminder that in digital conflicts, the most dangerous weapon is often disguised as the thing you want most. For anyone connected to Iran's protest movement, treating every unsolicited file as potentially hostile is not paranoia. It is operational security.