DCHSpy Android Spyware Linked to Iran’s MuddyWater APT, Targets Geopolitical Foes with Starlink Lures
Do Son 
A newly evolved version of the Android surveillanceware family known as DCHSpy is making waves in the mobile threat landscape. First discovered and tracked by Lookout Threat Intelligence in 2024, DCHSpy has continued to grow in both capability and reach, and is now linked to MuddyWater, a state-sponsored cyber espionage group tied to Iran’s Ministry of Intelligence and Security (MOIS).
DCHSpy is far from a generic spyware tool. It is carefully tailored for high-value geopolitical targets in government, telecom, oil and gas, and defense sectors across Asia, Africa, Europe, and North America. As tensions flared between Iran and Israel in mid-2025, Lookout observed a fresh wave of samples:
“About a week after Israel launched its initial strikes on Iranian nuclear infrastructure, Lookout acquired four new samples of DCHSpy.”
These updated versions revealed enhanced capabilities, including:
- Harvesting WhatsApp data
- Exfiltrating sensitive files from devices
- Controlling microphones and cameras
- Capturing SMS, call logs, and GPS data
The new campaign features lures themed around Starlink, Elon Musk’s satellite internet service. Iran’s post-conflict internet blackout made Starlink-themed apps particularly enticing for Iranian users desperate for unfiltered access.
“One of the Earth VPN samples… was uploaded with an APK filename of starlink_vpn(1.3.0)… indicating that DCHSpy VPN samples are also being spread with Starlink lures,” the report explains.
Masquerading as legitimate VPN services such as EarthVPN and ComodoVPN, the malware was distributed via Telegram, often through English and Farsi propaganda-laced channels. These fake VPNs listed phony Canadian and Romanian addresses to appear trustworthy.
The infrastructure used by DCHSpy overlaps with SandStrike, another Android surveillanceware targeting religious minorities like the Baháʼí community. According to Lookout:
“The hardcoded command and control (C2) IP address in the SandStrike sample was also used multiple times to deploy a PowerShell RAT attributed to MuddyWater.”
This shared infrastructure underscores a cohesive operational strategy among Iran-linked APTs.
DCHSpy is just one of 17 mobile malware families Lookout tracks as tied to at least 10 Iranian APTs. Past campaigns include:
- BouldSpy, used by Iranian law enforcement (FARAJA) to track dissidents
- GuardZoo, deployed by the Houthis in Yemen
- SpyMax, used against Assad’s forces in Syria
“Threat actors tied to the Iranian government are no strangers in the mobile surveillanceware landscape,” Lookout researchers concluded. “These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves.”
Related Posts:
- Starlink V3 Satellites Promise Blazing Fast Internet Speeds
- Lookout: Mobile phishing increase 85% over year for the past five years
- Anonymous Sudan attacked X, urging Musk to enable Starlink service in Sudan
- Subaru’s STARLINK Vulnerability: How Hackers Could Track and Control Vehicles
- A report says Iran may launch cyber attacks against sanctions
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
