Researchers have observed the Iran-linked MuddyWater APT group deploying new variants of its Android spyware, DCHSpy, targeting users in the context of the ongoing Israel–Iran conflict. Delivered through fake VPN or banking apps promoted in English and Farsi via Telegram, this malware harvests sensitive data including WhatsApp messages, audio recordings, location, photos, and call logs and quietly uploads them over encrypted channels. The campaign indicates both political espionage and regional surveillance motives, reflecting the group’s ongoing mobile targeting operations.
Emergence & Attribution
In late June 2025, about a week after the escalation of hostilities between Israel and Iran, Lookout researchers identified four new Android spyware samples by MuddyWater (also known as SeedWorm or Static Kitten) masquerading as VPN apps. These included deceptive packages like EarthVPN, Comodo VPN, and a Starlink-branded installer. The timing, messaging, and infrastructure strongly suggest a renewed campaign targeting regional tensions. MuddyWater has consistently leveraged political events to tailor its mobile espionage operations, often directed at journalists, activists, and civil society figures.
Infrastructure & Lure Crafting
The attackers leveraged Telegram to distribute links to fake VPN apps that mimicked legitimate services, such as “EarthVPN” claiming to be registered in Romania or “Comodo VPN” which falsely included Canadian contact details. One EarthVPN APK was named starlink_vpn‑(1.3.0).apk to exploit interest in Starlink connectivity following internet disruptions in Iran. These lures are delivered via targeted channels in both English and Farsi, indicating a sophisticated, socially engineered campaign aimed at specific regional audiences.
Spyware Capabilities & Payload Mechanics
Once installed, DCHSpy operates covertly, silently harvesting:
Collected data is compressed and encrypted using a C2-delivered key, then exfiltrated over SFTP to attacker-controlled servers.
Modular Deployment & Shared Toolsets
DCHSpy shares infrastructure with SandStrike another Android spyware used by MuddyWater for espionage against the Baháʼí community. Command-and-control (C2) domains and X.509 certificates overlap, suggesting that MuddyWater employs a shared mobile espionage framework adaptable to different target audiences. DCHSpy’s modular design allows it to download additional payloads at runtime, adapting to attacker intentions such as tracking, espionage, or potentially preparing for ransomware or sabotage
Operational Behavior & Stealth
The spyware is deployed with minimal permissions necessary and remains silent to avoid detection. It uses hidden background services and scheduled tasks to initiate data collection during typical user inactivity. HTTPS and DNS tunneling are likely employed to cloak data exfiltration as legitimate traffic. The use of politically themed lures and multiple distribution domains increases both operational stealth and delivery resilience.
These latest DCHSpy updates pose serious privacy and security risks for Android users especially journalists, activists, and those in high-risk regions. The malware’s ability to capture encrypted messaging content, phone activity, and media makes it a powerful tool for silent surveillance. Since it’s distributed through seemingly legitimate apps like “Earth VPN,” “Comodo VPN,” and even disguised as “Starlink” offerings, unsuspecting users may install it, creating widespread compromise potential across targeted communities
https://attack.mitre.org/groups/G0069
