MuddyWater Leveraging DCHSpy For Israel-Iran Conflict
Essential information
- Published
- 21/08/2025 16:16
- Modified
- 21/08/2025 19:57
- Tags
- 2025-08-21 android conflict dchspy iran israel sandstrike starlink surveillanceware telegram vpn
- Related entities
- 1 vulnerabilities (cve), 23 observables, 1 intrusion sets (apt), 2 malware, 9 others
Description
Iranian cyber espionage group MuddyWater, affiliated with Iran's Ministry of Intelligence and Security, is utilizing DCHSpy, an Android surveillanceware tool, in the context of the Israel-Iran conflict. DCHSpy collects extensive data from infected devices, including WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos. The malware is distributed through malicious VPN apps advertised on Telegram channels. Recent samples show new capabilities, including data exfiltration from specific files and WhatsApp. The targeting may involve StarLink-related lures, exploiting Iran's internet outage. DCHSpy shares infrastructure with SandStrike, another Android malware targeting Baháʼà practitioners.