Iran-Linked DCHSpy Android Malware Targets Dissidents Via Fake VPNs
- John Jordan
- Jul 22
- 2 min read
Iranian state-aligned hackers, specifically the MuddyWater group, have escalated their cyberespionage efforts by deploying advanced DCHSpy Android malware. This sophisticated surveillance tool, disguised as legitimate VPN applications, targets dissidents and collects sensitive personal data, highlighting a growing trend of mobile malware use in geopolitical conflicts.

Iran's MuddyWater Group Unleashes Enhanced DCHSpy Android Spyware
Mobile security firm Lookout Inc. recently reported the discovery of four new variants of DCHSpy, an Android surveillanceware attributed to the Iranian state-aligned cyberespionage group MuddyWater. These new samples emerged approximately one week after Israeli strikes on Iranian nuclear sites in June 2025, indicating a rapid adaptation of cyber tools in response to regional tensions.
Deceptive Tactics: Masquerading as VPNs and Starlink
The DCHSpy variants are cleverly disguised as seemingly legitimate virtual private network (VPN) applications, including "Earth VPN" and "Comodo VPN." One particularly notable sample was even named to reference "Starlink," likely an attempt to capitalize on the satellite provider's internet access offerings during government-imposed blackouts in Iran. These malicious apps are primarily distributed via Telegram, targeting Iranian users and dissidents with anti-regime themes.
Extensive Data Collection Capabilities
DCHSpy is a highly invasive tool designed to exfiltrate a wide array of sensitive data from infected Android devices. Its capabilities include:
WhatsApp messages
Logged-in accounts
Contact lists
SMS content
Call logs
Photos
Microphone recordings
Location information
The latest variants show enhanced capabilities, such as improved file exfiltration and precise WhatsApp data extraction.
Overlapping Infrastructure and Broader Campaign
Lookout's analysis reveals that DCHSpy shares infrastructure with SandStrike, another Android surveillance tool previously used against Baháʼí practitioners. Both malware families leverage overlapping command-and-control servers and distribution methods, suggesting a coordinated and evolving cyberespionage campaign. This activity reflects a broader pattern of political targeting by Iranian advanced persistent threat groups, which are increasingly investing in custom-built mobile malware frameworks for intelligence gathering.
Persistent Threat and Ongoing Monitoring
The reappearance and enhancement of DCHSpy during the Israel-Iran conflict underscore MuddyWater's adaptability and broader intent to track, disrupt, and collect intelligence. Lookout continues to monitor 17 mobile malware families linked to at least ten Iranian APTs, emphasizing the persistent nature of these threats in the evolving geopolitical landscape.
As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.
Sources
Iranian hackers expand Android spyware campaign amid Middle East tensions, SiliconANGLE.
MuddyWater Upgrades Android Spy Tool For Wartime Espionage, Information Security Buzz.
Iran-Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents, The Hacker News.
4 new Android spyware samples linked to Iran's intel agency • The Register, The Register.
New DCHSpy Android Malware Targets WhatsApp, Call Logs, Audio, and Photos, GBHackers News.