DCHSpy¶
DCHSpy is an Iranian Android surveillanceware operated by MuddyWater, an espionage group linked to Iran's Ministry of Intelligence and Security (MOIS). Lookout discovered DCHSpy in July 2025, identifying 11 samples dating back to 2021. The malware is distributed through fake VPN apps (Earth VPN, Comodo VPN, Hide VPN) and StarLink connectivity lures, exploiting Iranian internet outages to convince targets to sideload trojanized utilities. DCHSpy collects WhatsApp data, contacts, SMS, files, location, and call logs while also recording audio and capturing photos. All exfiltrated data is transmitted via encrypted SFTP channels. Activity surged in the wake of Israeli strikes on Iranian nuclear infrastructure, with four new samples appearing within a single week, confirming its role as a reactive intelligence collection tool deployed during periods of geopolitical escalation.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | 2021 (earliest samples) |
| Status | Active, with surge in 2025 |
| Type | Surveillanceware, espionage |
| Aliases | None known |
| Attribution | MuddyWater (MOIS, Iran) |
| Distribution | Fake VPN apps, StarLink lures |
Origin and Lineage¶
Lookout's July 2025 analysis traced DCHSpy samples back to 2021, establishing a four-year operational history before public disclosure. The malware is attributed to MuddyWater, an Iranian state-sponsored group that operates under the authority of Iran's Ministry of Intelligence and Security. MuddyWater has historically focused on desktop-based espionage campaigns targeting government entities, telecommunications companies, and defense organizations across the Middle East. DCHSpy represents the group's Android surveillance capability, extending their collection into mobile devices carried by targets of interest.
The sustained development over four years with only 11 total samples indicates a highly targeted deployment model rather than mass distribution. This low sample volume is consistent with state-sponsored surveillance operations where each implant is delivered to a specific individual rather than cast broadly.
Distribution¶
| Vector | Details |
|---|---|
| Earth VPN | Fake VPN application impersonating a legitimate VPN service |
| Comodo VPN | Fake VPN application using the Comodo brand |
| Hide VPN | Fake VPN application promising anonymous browsing |
| StarLink lures | Fake satellite internet connectivity app exploiting Iranian internet outages |
DCHSpy's distribution strategy is tightly coupled to the Iranian domestic environment. Iran periodically restricts or shuts down internet access during protests, elections, and military escalations. During these outages, demand for VPN tools and alternative connectivity solutions surges as citizens and activists attempt to circumvent censorship. MuddyWater exploits this demand by distributing trojanized VPN apps and StarLink connectivity lures through channels likely including messaging platforms, social media, and direct delivery to targets.
The VPN lure pattern is particularly effective because targets already expect VPN apps to request broad device permissions (network access, background operation, storage). The StarLink lures appeared during periods when satellite internet was seen as a viable alternative to state-controlled infrastructure, making them credible to technically aware targets.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| WhatsApp data theft | Exfiltrates WhatsApp databases and media files |
| Contact exfiltration | Harvests the full contact list from the device |
| SMS collection | Reads and exfiltrates all text messages |
| File theft | Accesses and uploads files from device storage |
| Location tracking | Collects GPS coordinates and location data |
| Call log harvesting | Extracts call history with numbers, timestamps, and durations |
| Audio recording | Records ambient audio via the device microphone |
| Photo capture | Takes photos using device cameras |
Surveillance Focus¶
DCHSpy's capability set is optimized for intelligence collection against individuals rather than financial theft. The combination of WhatsApp data extraction, contact harvesting, and ambient audio recording provides operators with comprehensive visibility into a target's communications network, physical movements, and private conversations. WhatsApp is the dominant messaging platform in Iran and across the Middle East, making its data a high-priority collection target for understanding both personal and organizational communications.
Technical Details¶
SFTP Exfiltration¶
DCHSpy exfiltrates all collected data via encrypted SFTP (SSH File Transfer Protocol) rather than the HTTP-based channels used by most Android malware families. SFTP provides built-in encryption for data in transit, eliminating the need for a separate encryption layer within the malware itself. This choice also makes exfiltration traffic harder to distinguish from legitimate file transfer activity on the network.
Low-Volume, High-Value Deployment¶
Lookout identified only 11 total samples across the entire four-year operational period, reinforcing the assessment that each deployment is carefully targeted. The appearance of four new samples within a single week following Israeli strikes on Iranian nuclear infrastructure demonstrates that MuddyWater can rapidly scale collection activity in response to geopolitical events, likely deploying to additional targets during periods when intelligence demand increases.
Target Regions¶
| Region | Details |
|---|---|
| Iran (domestic) | Primary target: dissidents, activists, journalists within Iran |
| Middle East (broader) | Secondary targeting aligned with MOIS intelligence priorities |
DCHSpy targets Iranian dissidents, activists, and journalists, groups that MuddyWater and MOIS consider threats to the Iranian state. The VPN and StarLink lures are specifically designed for an Iranian audience navigating government-imposed internet restrictions. The targeting of domestic populations for surveillance aligns with MOIS's dual foreign and domestic intelligence mandate.
Notable Campaigns¶
2021 to 2025: Lookout documented 11 samples spanning four years, distributed through fake VPN applications and StarLink lures. The sustained, low-volume campaign is consistent with targeted intelligence collection against specific individuals rather than broad-spectrum deployment.
2025 (post-Israeli strikes): Four new DCHSpy samples appeared within a single week following Israeli strikes on Iranian nuclear infrastructure. This surge in activity demonstrates the malware's use as a reactive intelligence tool, with MuddyWater deploying additional implants during a period of heightened geopolitical tension when monitoring dissidents and activists becomes a higher priority for the Iranian state.
Related Families¶
| Family | Relationship |
|---|---|
| AridSpy | Both are state-sponsored Android surveillanceware targeting Middle Eastern populations. AridSpy (Arid Viper) uses trojanized messaging apps with a multistage architecture, while DCHSpy uses fake VPN lures with SFTP exfiltration. Both prioritize WhatsApp data and contact harvesting. |
| GuardZoo | Both are state-aligned Android surveillance tools operating in Middle Eastern conflict contexts. GuardZoo (Houthi-aligned) targets military personnel for GPS and mapping data, while DCHSpy targets civilian dissidents and activists for communications intelligence. |
| PJobRAT | Both distribute fake utility apps for espionage targeting specific regional populations. PJobRAT targeted Indian military personnel and later Taiwanese users with fake chat apps, while DCHSpy targets Iranian dissidents with fake VPN apps. Both prioritize messaging data extraction. |