One week after Israeli strikes on Iranian nuclear infrastructure, Lookout Threat Intelligence discovered four new samples of DCHSpy, a mobile surveillance tool tied to Iran’s Ministry of Intelligence and Security.
The malware, attributed to the Iranian APT group MuddyWater, is back, and it’s watching.
DCHSpy collects WhatsApp messages, contact lists, SMS, call logs, stored files, and location data. It can also take photos and record audio. The latest samples show expanded capability: scanning for files of interest and extracting WhatsApp data with precision.
The lure this time? Starlink.
One of the new samples was disguised as a VPN app named starlink_vpn(1.3.0)-3012 (1).apk. It’s a calculated move. Starlink grew in popularity in Iran during recent internet blackouts, thus becoming a convincing hook for dissidents and citizens.
Disguises and Distribution
MuddyWater’s tradecraft is familiar: it uses Telegram to spread fake VPN apps, pretends to offer free, secure internet, and slips in spyware instead.
The apps (EarthVPN, ComodoVPN, HideVPN) claim to operate out of Canada or Romania. Their contact info leads nowhere. Distribution pages are plain, functional, and built for one thing: trust.
Victims are pulled in via targeted messages on Telegram. The themes are anti-regime. The message is freedom, the payload: surveillance.
Once installed, DCHSpy quietly sends data to a command-and-control server, where it’s compressed, encrypted, and exfiltrated.
Infrastructure and Parallels
DCHSpy shares infrastructure with SandStrike, another Android surveillanceware campaign uncovered in 2022. That malware targeted Baháʼí users. It used malicious VPNs. It phoned home to the same IP ranges.
Like DCHSpy, it was linked to MuddyWater.
These overlaps suggest a single operator (or a common toolbox) refined over time.
The VPN configuration files used in both campaigns tie back to threat actor-controlled infrastructure. And behind the scenes, PowerShell-based remote access trojans (RATs) run in parallel on targeted systems.
Continued Development, Broader Playbook
DCHSpy isn’t isolated. Lookout tracks at least 17 Android malware families connected to 10 Iranian APTs. The tactics vary, but the goal is constant: control.
Other recent examples include BouldSpy, linked to Iranian law enforcement (FARAJA), and GuardZoo, used by Houthi proxies in Yemen. In Syria, similar techniques have been used against Assad-aligned forces with commodity spyware like SpyMax.
These are not theoretical threats. They’re active campaigns, built to monitor, record, and suppress.
What This Signals
This new activity shows MuddyWater is alive and adapting. The reappearance of DCHSpy during the Israel-Iran conflict has a broader intent: to track, disrupt, and collect intelligence across borders and battle lines.
Conflict shifts terrain. Surveillance adapts with it.
Lookout will continue monitoring these threats and notifying customers of any new developments.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.