Iran-Linked MuddyWater APT Deploys New DCHSpy Spyware Variants Amid Iran-Israel Conflict
TL;DR
The Iran-linked APT group MuddyWater has deployed new variants of the DCHSpy Android spyware, targeting Android users amid the ongoing conflict between Iran and Israel. This sophisticated malware is designed to steal sensitive data, including contacts, messages, audio, and WhatsApp data, and is often distributed through fake VPN apps on platforms like Telegram.
Iran-Linked APT MuddyWater Deploys New DCHSpy Spyware Variants
Researchers at Lookout have identified that the Iran-linked Advanced Persistent Threat (APT) group, MuddyWater, is actively deploying new variants of the DCHSpy Android spyware. This deployment is part of an ongoing campaign targeting Android users in the context of the escalating conflict between Iran and Israel.
MuddyWater: A History of Cyber Espionage
MuddyWater, also known as SeedWorm, TEMP.Zagros, and Static Kitten, first emerged in late 2017. The group initially targeted entities in the Middle East, including Saudi Arabia, Iraq, Israel, and the United Arab Emirates. Over the years, MuddyWater has expanded its operations, incorporating new attack techniques and broadening its target scope to include European and North American countries.
Key sectors targeted by MuddyWater include:
- Telecommunications
- Government IT Services
- Oil and Energy
In January 2022, the US Cyber Command officially linked MuddyWater to Iran’s Ministry of Intelligence and Security (MOIS)1.
DCHSpy: A Sophisticated Spyware Tool
DCHSpy is a sophisticated Android spyware linked to Iran’s MuddyWater APT group. This malware is designed to steal sensitive information, including:
- Contacts
- Messages
- Audio recordings
- WhatsApp data
DCHSpy employs tactics similar to those seen in the SandStrike malware and has been active since 2024. Recent variants of DCHSpy have added capabilities to steal WhatsApp data and scan files, often delivered through Telegram links.
New DCHSpy Variants and Their Capabilities
Following Israel’s military strikes, Lookout researchers discovered new samples of DCHSpy. These variants include enhanced features for data exfiltration and surveillance. Notably, one fake VPN app posed as Starlink, likely exploiting recent interest in the service.
Key capabilities of the new DCHSpy variants include:
- Control of Microphone and Camera: Allows for comprehensive surveillance.
- Data Collection and Encryption: Collects data and encrypts it with a password sent from the command and control (C2) server.
- Data Upload via SFTP: Uploads encrypted data to a server following further C2 instructions.
Distribution Methods
MuddyWater distributes DCHSpy through fake VPN apps shared on Telegram. These apps often target English and Farsi-speaking users with anti-regime themes. Initially using HideVPN, the group has now shifted to pushing EarthVPN and ComodoVPN, falsely claiming ties to Canada and Romania.
Wider Context and Implications
Lookout has tracked 17 malware families from 10 different Iranian APTs over the past decade. Beyond DCHSpy, other notable tools include BouldSpy, a surveillance tool used by Iran’s law enforcement (FARAJA). These groups also leverage tools like Metasploit, AndroRat, and AhMyth in their campaigns.
The continued development and deployment of DCHSpy highlight the ongoing cyber espionage efforts by Iranian APT groups, particularly amid regional conflicts. Recent examples include the GuardZoo surveillanceware tied to the Houthis and campaigns targeting Assad’s forces in Syria using SpyMax malware.
Conclusion
The deployment of new DCHSpy variants by MuddyWater underscores the evolving threat landscape in cyber espionage. As geopolitical tensions rise, the use of sophisticated spyware to monitor and exfiltrate data from targeted individuals and groups is likely to increase. Organizations and individuals must remain vigilant and implement robust cybersecurity measures to protect against such threats.
Additional Resources
For further insights, check:
References
-
Pierluigi Paganini (2022). “US Cyber Command links MuddyWater APT to Iran’s MOIS”. Security Affairs. Retrieved 2025-07-21. ↩︎