In late June 2025, about a week after Israeli airstrikes struck Iran’s nuclear facilities, cybersecurity researchers uncovered a stealthy new threat on Iranian dissidents’ Android phones. Four new samples of the espionage malware known as DCHSpy have surfaced, disguised as innocuous VPN apps named Earth VPN and Comodo VPN. One tainted app even carried “Starlink” in its file name – a nod to SpaceX’s satellite internet service – hinting that the attackers exploited offers of satellite internet to lure victims during Iran’s government-imposed internet outages.
Security experts attribute DCHSpy to MuddyWater, a state-backed Iranian hacking group affiliated with Iran’s Ministry of Intelligence and Security (MOIS). The group – sanctioned by the U.S. government in 2022 for destructive cyberattacks on Albania – has a long history of spying on government and industry targets across the Middle East, Asia, Africa, Europe, and North America. With DCHSpy, MuddyWater has dramatically expanded its mobile surveillance arsenal. The spyware quietly harvests a victim’s account credentials, contacts, text messages, call logs, and stored files, all while continuously tracking the phone’s location. The malware also hijacks the phone’s microphone and camera to capture live audio and images, and it even fully extracts data from the victim’s WhatsApp chats and media archives.
Background– MuddyWater’s Espionage Operations
MuddyWater (tracked by various aliases like Static Kitten and SeedWorm) is a notorious Iranian advanced persistent threat (APT) group operating under MOIS. Active since at least 2018, the group specializes in cyber-espionage and has struck organizations in telecommunications, government, defense, and energy sectors across multiple regions. Its tactics often involve phishing and custom malware to infiltrate targets, and U.S. intelligence has explicitly linked MuddyWater to Iran’s state cyber operations.
DCHSpy first emerged in mid-2024 as one of MuddyWater’s mobile surveillance implants. MuddyWater initially distributed DCHSpy via Telegram channels catering to Persian- and English-speaking audiences opposed to the Iranian regime, posing as seemingly legitimate VPN apps such as a fake “Hide VPN” to lure users seeking uncensored internet access. Such social engineering suggests that the campaign was deliberately targeting dissidents, activists, and journalists from the outset.
Another clue tying DCHSpy to Iran’s security apparatus is its overlap with an earlier Android malware campaign known as SandStrike. SandStrike was exposed in late 2022, targeting Persian-speaking members of Iran’s Baháʼí minority by posing as a harmless VPN service, and it shares the same command-and-control infrastructure and tactics as DCHSpy. The common thread between SandStrike and DCHSpy is the use of Telegram-delivered fake VPN tools – a hallmark of MuddyWater’s playbook.
Advanced Surveillance Capabilities of DCHSpy
DCHSpy is a modular spyware designed to vacuum up virtually every piece of information on an infected device. Once installed, it systematically enumerates all user accounts on the phone, reads contact lists, intercepts SMS text messages, and accesses every file stored on the device. The malware logs the device’s GPS location data continuously and compiles detailed call history records. Notably, DCHSpy takes control of the phone’s microphone to record ambient audio secretly and hijacks the camera to capture photos or videos without the user’s knowledge.
In its latest iterations, DCHSpy gained two especially alarming new abilities. First, it now explicitly targets WhatsApp communications by extracting message databases and media straight from the app on the infected device. Because WhatsApp’s messages are end-to-end encrypted in transit, nation-state hackers prize malware like DCHSpy as a means to bypass that encryption and grab sensitive conversations at the source. Second, the spyware’s code was upgraded to scan the device for any files or folders of interest (for example, documents or images related to political activities) and exfiltrate those along with the rest of the collected data. These new features — WhatsApp snooping and file-hunting — illustrate MuddyWater’s intent to capture the full scope of a victim’s communications and content rather than just a few data streams.
Once DCHSpy has gathered data from the phone, it moves that payload to the attackers without alerting the victim. The malware compresses all stolen information and encrypts it with a password received from its command-and-control (C2) server, then uploads the encrypted archive to an attacker-controlled Secure File Transfer Protocol (SFTP) server. By encrypting the package, the spies ensure the data remains unreadable to anyone except themselves, even if the transmission is detected. Using an SFTP upload to exfiltrate the data provides a relatively secure and reliable channel to funnel the surveillance haul back to MuddyWater’s servers.
Distribution via Fake VPN and “Starlink” Apps
MuddyWater’s operators deliver DCHSpy through clever deception. They advertise the spyware in places where regime critics seek tools for secure internet access, then trick those users into installing it. In practice, this means the malicious APK files are promoted via Telegram channels that feature anti-regime or protest content, under the guise of free VPN or security apps. The threat actor created simple websites for their fake services – for example, “EarthVPN” and “ComodoVPN” – and even listed fake contact addresses in Canada and Romania to make them appear legitimate. Previous variants of DCHSpy were billed as “HideVPN,” mimicking a privacy app, and one newly discovered sample was pointedly named “Starlink VPN,” – exploiting the buzz around SpaceX’s satellite internet being made available to Iranians during government blackouts. MuddyWater has also been known to disguise Android spyware as financial utilities (such as fake mobile banking apps) when targeting specific communities, showing flexibility in their lures.
The promotion of these trojanized apps often occurs in Telegram chat groups frequented by Iranian users seeking uncensored internet. Lookout researchers observed at least one Telegram channel actively distributing DCHSpy-laced VPN apps, with posts advertising the service as “used by activists and journalists all over the world” in order to build trust. The use of VPN branding is intentional —VPNs are in high demand in Iran’s closed internet environment, making them an effective lure to attract the very users the regime wants to monitor. While Telegram has been a primary distribution platform, MuddyWater does not rely on it exclusively. Investigators note that the group could also attempt to send out DCHSpy links via direct phishing messages – whether through email, SMS, or other messaging apps – to maximize their reach beyond Telegram channels. In all cases, the goal is to trick targets into installing an app they believe will improve their online freedom or security, when in fact it compromises their device to state surveillance.
Targeted Victims and Attack Context
The resurgence of DCHSpy in mid-2025 is no coincidence; it occurred amid a surge of geopolitical and domestic tensions in Iran. Just days after hostilities flared between Iran and Israel, Tehran imposed nationwide internet blackouts to control the flow of information. In response, SpaceX’s Starlink satellite internet was activated for Iranians as a workaround to get back online – a development MuddyWater quickly weaponized by pushing a fake “Starlink” VPN app laden with spyware. At the same time, Iran’s government was clamping down internally following a ceasefire, intensifying its surveillance of citizens under the pretext of security. The timing suggests that this environment drove the deployment of new DCHSpy versions – the regime was urgently seeking to spy on those it deemed threats during and after the conflict. Indeed, seeing four distinct DCHSpy samples appear within one week (when only 11 samples had been collected in total since 2021) is an anomaly that underscores how rapidly MuddyWater ramped up this campaign in response to unfolding events.
All evidence indicates that DCHSpy’s primary targets are individuals viewed as enemies of the Iranian regime. These include political dissidents, protest organizers, independent journalists, and possibly ethnic or religious minority activists who oppose the government. The Lookout team assessing DCHSpy concluded that the campaign is **“targeting Iranian dissidents inside and outside of Iran, as well as activists and journalists.”** In other words, the spyware is aimed at the very people most likely to download VPNs and anti-censorship tools. By offering a trojanized “free internet” app, MuddyWater ensures it is infecting precisely those users of interest to Iran’s intelligence services. The English-language outreach (for example, the fake ComodoVPN site claiming to be popular with activists worldwide) suggests the operation may also ensnare members of the Iranian diaspora or opposition groups abroad, not just users within Iran’s borders.
Security Implications and Warnings
The discovery of DCHSpy in the wild demonstrates the increasing scope and sophistication of state-sponsored surveillance campaigns. Iranian intelligence units are investing heavily in malware that can comprehensively monitor personal devices and communications. They piggyback on services that citizens genuinely need (like VPNs for uncensored internet) and turn essential online tools into Trojan horses. Anyone who unknowingly installs such a fake app is essentially handing Iran’s spies complete access to their private life – from their conversations and photos to their physical location and list of contacts.
For these reasons, cybersecurity experts urge extreme caution when downloading any utilities from unofficial or untrusted sources. VPN apps or “security” apps offered via random Telegram channels or social media links should never be trusted, regardless of how enticing the promise of free internet or anonymity may be. If you need a VPN or privacy tool, obtain it only from reputable providers and official app stores. The case of DCHSpy is a stark reminder that authoritarian regimes will go to great lengths – including weaponizing fake apps – to surveil their citizens and dissidents. Individuals at risk should remain vigilant about what they install, and organizations should educate their communities about these deceptive tactics. The simple act of downloading the wrong app can turn a smartphone into a gold mine of intelligence for a repressive government.
