DCHSpy Mobile Malware

Cybersecurity researchers have recently uncovered a new wave of Android spyware artifacts, believed to be linked to the Iranian Ministry of Intelligence and Security (MOIS). The spyware, known as DCHSpy, is distributed by disguising itself as legitimate VPN services and even as Starlink, the satellite internet service operated by SpaceX. This campaign coincides with the heightened tensions following the Israel-Iran conflict in June 2025.

The Emergence of DCHSpy

Researchers first detected DCHSpy in July 2024. The tool is attributed to MuddyWater, a state-backed Iranian hacking group that operates under various aliases, including Boggy Serpens, Cobalt Ulster, Earth Vetala, ITG17, Mango Sandstorm (formerly Mercury), Seedworm, Static Kitten, TA450, and Yellow Nix.

Early versions of DCHSpy were identified targeting English and Farsi speakers through Telegram channels, using themes critical of the Iranian regime. The attackers primarily focused on dissidents, journalists, and activists by luring them with seemingly trustworthy VPN services.

Technical Capabilities of DCHSpy

DCHSpy is a modular trojan designed to harvest sensitive data from infected devices. Its capabilities include:

• Collecting WhatsApp data, contacts, SMS messages, and call logs
• Extracting accounts signed into the device
• Accessing files and location data
• Recording ambient audio and capturing photos

The malware is also capable of maintaining persistent surveillance on the victim, effectively transforming the compromised device into a spying tool.

Deceptive Distribution Tactics

The latest DCHSpy variants are being spread under the guise of popular VPN services, including:

• Earth VPN (com.earth.earth_vpn)
• Comodo VPN (com.comodoapp.comodovpn)
• Hide VPN (com.hv.hide_vpn)

A notable example is the Earth VPN sample, which was found circulating as an APK named 'starlink_vpn(1.3.0)-3012 (1).apk', indicating that attackers are using Starlink-related themes as lures.

The timing is strategic, as Starlink's internet service was launched in Iran in June 2025 during a government-imposed internet blackout. However, the service was outlawed weeks later by the Iranian parliament due to unauthorized operations, making it an attractive lure for targeted individuals seeking unrestricted connectivity.

Connections to Previous Campaigns

DCHSpy shares its infrastructure with SandStrike, another Android spyware flagged in November 2022 for targeting Persian speakers via fake VPN applications. Like SandStrike, DCHSpy is distributed using malicious URLs shared directly over messaging apps such as Telegram.

This new discovery adds DCHSpy to a growing list of spyware campaigns aimed at Middle Eastern targets, which already includes AridSpy, BouldSpy, GuardZoo, RatMilad, and SpyNote.

Escalation Amid Regional Conflicts

The resurgence of DCHSpy reflects an ongoing investment in espionage operations by Iranian-backed actors. Its deployment aligns with Iran's efforts to tighten control over information and monitor dissidents, especially following the recent ceasefire with Israel. The continuous development of such malware highlights the evolving nature of digital threats in the region.