Security researchers have discovered four new variants of Android spyware, collectively known as DCHSpy, that have been directly linked to Iran’s Ministry of Intelligence and Security (MOIS).
Timeline and Discovery
In late June 2025, just days after Israel targeted Iranian nuclear facilities, Lookout security researchers identified four distinct samples of this surveillanceware masquerading as legitimate VPN applications, specifically Earth VPN and Comodo VPN. The timing and method of these distributions suggest a rapid response to geopolitical developments, leveraging the confusion and information blackout following the conflict.
The spyware-laden apps were primarily distributed via malicious links, often sent through messaging platforms like Telegram. Notably, one sample sought to entice victims using references to “Starlink”—the satellite internet service activated in Iran amid state-imposed connectivity blackouts—to heighten the perceived legitimacy and urgency of the application’s purpose.
Threat Capabilities
DCHSpy exhibits a broad range of invasive capabilities, including:
- Harvesting WhatsApp messages and associated data
- Accessing device accounts, contact lists, SMS messages, and stored files
- Collecting device location data and call logs
- Recording audio and capturing photos via commandeered access to on-board microphones and cameras
- Performing targeted file searches with advanced exfiltration techniques
This represents a marked advancement in surveillance techniques, enabling comprehensive monitoring of targeted devices.
Attribution and Broader Context
The threat is chiefly attributed to MuddyWater, an advanced persistent threat (APT) group widely believed to operate under the auspices of Iran’s MOIS. Active since at least 2019, MuddyWater has a history of targeting governmental, defense, telecommunications, energy, and private sectors across the Middle East, Europe, Asia, Africa, and North America. The infrastructure underpinning DCHSpy is closely linked with previous Iranian malware campaigns—such as SandStrike—further substantiating the connection.
Targeted Audiences and Motivations
The latest surveillance campaign appears primarily directed at adversaries of the Iranian state government, dissidents, and those seeking uncensored information access. By disguising malware within VPN and utility applications, attackers exploit users’ desire for privacy and secure communications—particularly during periods of state-mandated internet restrictions. This tactical use of situational lures demonstrates well-coordinated social engineering strategies by Iranian-linked actors.
