The ongoing geopolitical tension between Iran and Israel has sparked a new wave of cyber espionage. According to a report from mobile security firm Lookout, the Iranian state-sponsored threat actor MuddyWater—also known as Mango Sandstorm, Mercury, Seedworm, and Static Kitten—has been actively deploying updated variants of the Android spyware DCHSpy since the onset of the conflict.

MuddyWater, operational since at least 2017 and linked to Iran’s Ministry of Intelligence and Security (MOIS), is well known for its cyber operations across the Middle East. The latest DCHSpy samples were discovered just a week into the conflict and appear to be distributed under the guise of legitimate VPN or banking apps, often leveraging political themes to trick users.

DCHSpy: Sophisticated Surveillance Tool in Ongoing Use

The spyware, believed to be developed and maintained directly by MuddyWater, shares key infrastructure and tactics with another Android malware strain called SandStrike. Lookout’s analysis uncovered that SandStrike was using a malicious VPN configuration file to connect to the group’s espionage infrastructure and deploy a PowerShell-based RAT (Remote Access Trojan).

Much like SandStrike, DCHSpy uses deceptive URLs shared via encrypted messaging platforms such as Telegram to reach its victims. Once installed, the malware operates modularly, granting attackers access to:

• User accounts and contacts
• SMS messages and local files
• Call logs and device location
• WhatsApp data
• Microphone and camera access for recording audio and taking pictures

All collected data is then compressed, encrypted using a password from a command-and-control (C2) server, and uploaded via SFTP to the attacker’s infrastructure.

Masquerading as VPN Apps with Political Lures

The newly detected versions of DCHSpy have been disguised as apps named Earth VPN, Comodo VPN, Hide VPN, and Hazrat Eshq, and are being promoted on Telegram channels targeting both English and Farsi-speaking audiences. These apps often use anti-Iran messaging and politically charged themes to attract downloads.

In one case, a malicious Earth VPN sample used Starlink-related bait, exploiting reports that Starlink could be used to circumvent internet restrictions during blackouts imposed by the Iranian government amid regional hostilities.

Growing Mobile Threat Landscape in Iran

Lookout reports that at least 10 Iranian APT groups have used 17 different mobile malware families in recent surveillance campaigns. The evolution of DCHSpy signals the continued prioritization of mobile surveillance by Iranian state actors, especially in the wake of increased internal crackdowns following the ceasefire with Israel.

As cyber threats continue to evolve in politically volatile regions, this case underscores the importance of advanced threat detection, mobile device security, and user awareness—particularly in environments where surveillance and espionage are actively weaponized.

Source: https://www.securityweek.com/new-variants-of-dchspy-spyware-used-by-iranian-apt-to-target-android-users/