Cybersecurity researchers have unearthed new Android spyware artifacts that are likely affiliated with the Iranian Ministry of Intelligence and Security (MOIS) and have been distributed to targets by masquerading as VPN apps and Starlink, a satellite internet connection service offered by SpaceX.
Mobile security vendor Lookout said it discovered four samples of a surveillanceware tool it tracks as DCHSpy one week after the onset of the Israel-Iran conflict last month. Exactly how many people may have installed these apps is not clear.
"DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos," security researchers Alemdar Islamoglu and Justin Albrecht said.
First detected in July 2023, DCHSpy is assessed to be the handiwork of MuddyWater, an Iranian nation-state group tied to MOIS. The hacking crew is also called Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, and Yellow Nix.
Lookout said the Hide VPN sample containing the spyware was first discovered and acquired in July 2023, but noted the APK package metadata is corrupted, hindering any attempts to determine when the sample may have been actually developed and released in the wild. However, the signing certificate used indicates a "valid from" date of July 5, 2022.
"Since threat actors frequently reuse signing certificates across campaigns, it's possible that this sample was developed closer to the July 2023 timeframe and was packaged using a pre-existing certificate," Islamoglu told The Hacker News.
"This signing certificate is associated with several other DCHSpy samples all developed in 2023 or 2024, making it most likely that the Hide VPN sample was also developed later than the date listed for the signing certificate. The sample was uploaded to VirusTotal from a web user in Russia in July 2023."
Early iterations of DCHSPy have been identified targeting English and Farsi speakers via Telegram channels using themes that run counter to the Iranian regime. Given the use of VPN lures to advertise the malware, it's likely that dissidents, activists, and journalists are a target of the activity.
"Based on our analysis of acquired samples, the DCHSpy campaign appears to primarily target individuals with opposition perspectives to the Iranian government," Islamoglu said.
"It is distributed via legitimate-looking websites hosting the malicious applications, as well as Telegram channels which are used to promote the malicious apps with VPN, banking and political lures targeting English and Farsi speakers, and features themes and language consistent with views contrary to the Iranian regime."
It's suspected that the newly identified DCHSpy variants are being deployed against adversaries in the wake of the recent conflict in the region by passing them off as seemingly useful services like Earth VPN ("com.earth.earth_vpn"), Comodo VPN ("com.comodoapp.comodovpn"), and Hide VPN ("com.hv.hide_vpn").
Interestingly, one of the Earth VPN app samples has been found to be distributed in the form of APK files using the name "starlink_vpn(1.3.0)-3012 (1).apk," indicating that the malware is likely being spread to targets using Starlink-related lures.
It's worth noting that Starlink's satellite internet service was activated in Iran last month amid a government-imposed internet blackout. But, weeks later, the country's parliament voted to outlaw its use over unauthorized operations.
A modular trojan, DCHSpy is equipped to collect a wide range of data, including account signed-in to the device, contacts, SMS messages, call logs, files, location, ambient audio, photos, and WhatsApp information.
DCHSpy also shares infrastructure with another Android malware known as SandStrike, which was flagged by Kaspersky in November 2022 as targeting Persian-speaking individuals by posing as seemingly harmless VPN applications.
The discovery of DCHSpy is the latest instance of Android spyware that has been used to target individuals and entities in the Middle East. Other documented malware strains include AridSpy, BouldSpy, GuardZoo, RatMilad, and SpyNote.
"DCHSpy uses similar tactics and infrastructure as SandStrike," Lookout said. "It is distributed to targeted groups and individuals by leveraging malicious URLs shared directly over messaging apps such as Telegram."
"These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel."
(The story was updated after publication on July 29, 2025, with additional insights from Lookout.)
