Iranian state-aligned hackers, specifically the MuddyWater group, have escalated their cyberespionage efforts by deploying advanced DCHSpy Android malware. This sophisticated surveillance tool, disguised as legitimate VPN applications, targets dissidents and collects sensitive personal data, highlighting a growing trend of mobile malware use in geopolitical conflicts.

Iran's MuddyWater Group Unleashes Enhanced DCHSpy Android Spyware

Mobile security firm Lookout Inc. recently reported the discovery of four new variants of DCHSpy, an Android surveillanceware attributed to the Iranian state-aligned cyberespionage group MuddyWater. These new samples emerged approximately one week after Israeli strikes on Iranian nuclear sites in June 2025, indicating a rapid adaptation of cyber tools in response to regional tensions.

Deceptive Tactics: Masquerading as VPNs and Starlink

The DCHSpy variants are cleverly disguised as seemingly legitimate virtual private network (VPN) applications, including "Earth VPN" and "Comodo VPN." One particularly notable sample was even named to reference "Starlink," likely an attempt to capitalize on the satellite provider's internet access offerings during government-imposed blackouts in Iran. These malicious apps are primarily distributed via Telegram, targeting Iranian users and dissidents with anti-regime themes.

Extensive Data Collection Capabilities

DCHSpy is a highly invasive tool designed to exfiltrate a wide array of sensitive data from infected Android devices. Its capabilities include:

• WhatsApp messages

• Logged-in accounts

• Contact lists

• SMS content

• Call logs

• Photos

• Microphone recordings

• Location information

The latest variants show enhanced capabilities, such as improved file exfiltration and precise WhatsApp data extraction.

Overlapping Infrastructure and Broader Campaign

Lookout's analysis reveals that DCHSpy shares infrastructure with SandStrike, another Android surveillance tool previously used against Baháʼí practitioners. Both malware families leverage overlapping command-and-control servers and distribution methods, suggesting a coordinated and evolving cyberespionage campaign. This activity reflects a broader pattern of political targeting by Iranian advanced persistent threat groups, which are increasingly investing in custom-built mobile malware frameworks for intelligence gathering.

Persistent Threat and Ongoing Monitoring

The reappearance and enhancement of DCHSpy during the Israel-Iran conflict underscore MuddyWater's adaptability and broader intent to track, disrupt, and collect intelligence. Lookout continues to monitor 17 mobile malware families linked to at least ten Iranian APTs, emphasizing the persistent nature of these threats in the evolving geopolitical landscape.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Iranian hackers expand Android spyware campaign amid Middle East tensions, SiliconANGLE.

• MuddyWater Upgrades Android Spy Tool For Wartime Espionage, Information Security Buzz.

• Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents, The Hacker News.

• 4 new Android spyware samples linked to Iran's intel agency • The Register, The Register.

• New DCHSpy Android Malware Targets WhatsApp, Call Logs, Audio, and Photos, GBHackers News.