MuddyWater Deploys New Android Spyware Amid Israel-Iran Conflict
- Actor Motivations: Espionage,Exfiltration
- Attack Vectors: Spyware,Phishing
- Attack Complexity: Medium
- Threat Risk: Unknown
Threat Overview
Iranian APT group MuddyWater deployed new versions of its Android surveillanceware DCHSpy amid the Israel-Iran conflict, targeting individuals via politically themed lures such as fake Starlink VPN apps. Distributed through Telegram and disguised as legitimate VPN or banking apps, DCHSpy harvests sensitive data including WhatsApp messages, SMS, call logs, contacts, device location, and audio. The malware compresses and encrypts exfiltrated data before uploading it to an attacker-controlled SFTP server. DCHSpy shares infrastructure with SandStrike, a tool previously used to target Baháʼí practitioners. Sectors targeted include telecommunications, defense, local government, and oil and gas across the Middle East, Asia, Africa, Europe, and North America.
Detected Targets
| Type | Description | Confidence |
|---|---|---|
| Region | Iran | High |
Extracted IOCs
- n14mit69company[.]top
- hs1.iphide[.]net
- hs2.iphide[.]net
- hs3.iphide[.]net
- hs4.iphide[.]net
- it1.comodo-vpn[.]com
- r1.earthvpn[.]org
- r2.earthvpn[.]org
- 556d7ac665fa3cc6e56070641d4f0f5c36670d38
- 67ab474e08890c266d242edaca7fab1b958d21d4
- 6c291b3e90325bea8e64a82742747d6cdce22e5b
- 7010e2b424eadfa261483ebb8d2cca4aac34670c
- 7267f796581e4786dbc715c6d62747d27df09c61
- 8f37a3e2017d543f4a788de3b05889e5e0bc4b06
- 9dec46d71289710cd09582d84017718e0547f438
- cb2ffe5accc89608828f5c1cd960d660aac2971d
- f194259e435ff6f099557bb9675771470ab2a7e3
- 185[.]203.119.134
- 192[.]121.113.60
- 194[.]26.213.176
- 45[.]86.163.10
- 46[.]30.188.243
- 77[.]75.230.135
- 79[.]132.128.81
- hxxp://185[.]203.119.134/dp/dl[.]php
- hxxp://192[.]121.113.60/dev/run[.]php
- hxxp://194[.]26.213.176/class/mcrypt[.]php
- hxxp://45[.]86.163.10/class/mcrypt[.]php
- hxxp://46[.]30.188.243/class/mcrypt[.]php
- hxxp://77[.]75.230.135/class/mcrypt[.]php
- hxxp://79[.]132.128.81/dev/run[.]php
- hxxps://hs1.iphide[.]net:751
- hxxps://hs2.iphide[.]net:751
- hxxps://hs3.iphide[.]net:751
- hxxps://hs4.iphide[.]net:751
- hxxps://it1.comodo-vpn[.]com:1950
- hxxps://it1.comodo-vpn[.]com:1953
- hxxps://r1.earthvpn[.]org:3413
- hxxps://r2.earthvpn[.]org:3413
Tip: 39 related IOCs (7 IP, 8 domain, 15 URL, 0 email, 9 file hash) to this threat have been found.
FAQs
FAQ: Understanding the DCHSpy Surveillance Campaign
A new wave of Android malware called DCHSpy was discovered being deployed by an Iranian hacking group. This malware targets mobile devices to secretly collect sensitive data.
The malware is linked to MuddyWater, a known Iranian cyber espionage group associated with Iran’s Ministry of Intelligence. They’ve previously launched similar attacks across multiple regions.
The purpose is surveillance. DCHSpy is used to spy on individuals by collecting private information like messages, call logs, and even turning on the microphone and camera without consent.
The malware targets individuals in the Middle East and beyond, particularly those using anti-regime apps or tools like VPNs, or who may be of strategic interest during conflicts.
The malware is disguised as fake VPN apps, including ones branded around StarLink internet services. These apps are shared via platforms like Telegram, often appealing to users seeking secure or uncensored internet access.
These attacks intensified following recent conflict between Israel and Iran, during which internet blackouts in Iran made StarLink a popular topic — exploited here as a lure.
Avoid downloading apps from unofficial sources like Telegram channels. Use verified app stores and mobile security software that can detect surveillance tools. Be cautious of politically themed or unusually generous app offers.
While the attack is targeted, it affects a broad range of individuals including activists, journalists, and regional opposition figures. The malware is built to quietly monitor anyone deemed a threat by the attackers.