Lookout recently uncovered new samples of DCHSpy, an Android surveillanceware tool utilized by the Iranian cyber espionage group MuddyWater, shortly after the Israel-Iran conflict began. This discovery highlights the continued development and deployment of DCHSpy, which has been designed to collect a wide range of sensitive user data, including WhatsApp information, account details, contacts, SMS messages, files, location, and call logs. The malware can also record audio and capture photos, posing a significant threat to targeted individuals. Lookout has been protecting its customers from DCHSpy since 2024, indicating its ongoing presence and evolution in the threat landscape.
DCHSpy is believed to be developed and maintained by MuddyWater, a cyber espionage group reportedly affiliated with Iran’s Ministry of Intelligence and Security (MOIS).
This group is known for targeting various government and private entities across diverse sectors and regions, including the Middle East, Asia, Africa, Europe, and North America. The timing of the new DCHSpy samples, coinciding with the recent conflict, suggests a potential escalation in cyber espionage activities, with the malware now appearing to be deployed against adversaries. Its distribution often involves political lures and disguises as legitimate applications like VPNs or banking apps, further enhancing its deceptive nature.
Intriguingly, DCHSpy shares infrastructure with another Android malware known as SandStrike, which targets Baháʼí practitioners.
Lookout researchers found that a hardcoded command and control (C2) IP address used in a SandStrike sample was also employed multiple times to deploy a PowerShell Remote Access Trojan (RAT) attributed to MuddyWater. Furthermore, the SandStrike sample contained a malicious VPN configuration file linked to threat actor-controlled infrastructure. This shared infrastructure and tactical similarities indicate a close relationship between DCHSpy and SandStrike, suggesting that MuddyWater leverages a consistent set of tools and methods for its operations. DCHSpy itself is primarily distributed through malicious URLs shared directly via messaging applications like Telegram.
The four newly acquired DCHSpy samples, discovered approximately one week after Israel’s initial strikes on Iranian nuclear infrastructure, reveal significant new capabilities. These include the ability to identify and exfiltrate specific “files of interest” from infected devices, as well as the newly observed capability to collect WhatsApp data. A notable finding among these new samples is an “Earth VPN” sample with a filename strongly suggesting Starlink lures (e.g., “starlink_vpn”). This aligns with recent reports of Starlink offering internet services to Iranians during government-imposed internet outages, indicating a potential exploitation of these critical services as a new targeting vector for DCHSpy.
In its distribution tactics, DCHSpy continues to leverage malicious VPN applications shared via Telegram, similar to previous observations. These Telegram channels promote the malicious VPN apps to both English and Farsi speakers, often featuring themes critical of the Iranian regime. While previous campaigns advertised “HideVPN,” the latest iteration of DCHSpy utilizes two new malicious VPN services: “EarthVPN” and “ComodoVPN.” These services, despite claiming to be located in Canada and Romania respectively, use addresses and contact numbers belonging to unrelated businesses, further highlighting the deceptive nature of MuddyWater’s operations and their consistent use of social engineering to ensnare victims. Once data is collected from an infected device, it is compressed, encrypted with a password from the C2 server, and then uploaded to a Secure File Transfer Protocol (SFTP) server.
Reference:
