{ "id": "3d93dde8-3d6e-4321-9c3e-6c36a48fe0fb", "created_at": "2026-04-06T00:14:31.221958Z", "updated_at": "2026-04-10T03:34:22.699596Z", "deleted_at": null, "sha1_hash": "ce41dbf8053d70f2e4018b525bf64a2285908096", "title": "Lookout Discovers MuddyWater Leveraging DCHSpy For Israel-Iran Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 948455, "plain_text": "Lookout Discovers MuddyWater Leveraging DCHSpy For Israel-Iran Conflict\r\nBy Lookout\r\nPublished: 2025-07-21 · Archived: 2026-04-05 12:52:11 UTC\r\nDCHSpy is an Android surveillanceware family that Lookout customers have been protected from since 2024. It is\r\nlikely developed and maintained by MuddyWater, which is a cyber espionage group believed to be affiliated with\r\nIran's Ministry of Intelligence and Security (MOIS). This group targets diverse government and private entities in\r\nvarious sectors, such as telecommunications, local government, defense, and oil and natural gas, across the Middle\r\nEast, Asia, Africa, Europe, and North America.\r\nIn light of the recent conflict in Iran, it appears that new versions of DCHSpy are being deployed against\r\nadversaries. It uses political lures and disguises as legitimate apps like VPNs or banking applications. This\r\nmodular malware collects the following data:  \r\nAccounts logged into on the device\r\nContacts\r\nSMS messages\r\nFiles stored on the device\r\nLocation data\r\nCall logs\r\nAudio by taking control of the microphone\r\nPhotos by taking control of the camera\r\nWhatsApp data\r\nDCHSpy shares infrastructure with another Android malware known as SandStrike, an Android surveillanceware\r\ntargeting Baháʼí practitioners originally reported publicly by Kaspersky in 2022. Lookout researchers discovered\r\nthat the hardcoded command and control (C2) IP address in the SandStrike sample was also used multiple times to\r\ndeploy a PowerShell RAT attributed to MuddyWater. Notably, the SandStrike sample also contained a malicious\r\nVPN configuration file tied to threat actor controlled infrastructure. \r\nDCHSpy uses similar tactics and infrastructure as SandStrike. It is distributed to targeted groups and individuals\r\nby leveraging malicious URLs shared directly over messaging apps such as Telegram. \r\nNew Capabilities, Targeting, and StarLink Lures\r\nAbout a week after Israel launched its initial strikes on Iranian nuclear infrastructure, Lookout acquired four new\r\nsamples of DCHSpy. These new samples show that MuddyWater has continued to develop the surveillanceware\r\nwith new capabilities - this time exhibiting the ability to identify and exfiltrate data from files of interest on the\r\ndevice as well as WhatsApp data. \r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nPage 1 of 5\n\nOne of the Earth VPN samples, SHA1:9dec46d71289710cd09582d84017718e0547f438, was uploaded with an\r\nAPK filename of starlink_vpn(1.3.0)-3012 (1).apk. This may indicate that DCHSpy VPN samples are also being\r\nspread with Starlink lures, especially given recent reports of Starlink offering internet services to the Iranian\r\npopulation during the internet outage imposed by the Iranian government following hostilities between Israel and\r\nIran.\r\nOnce data is collected off of an infected device, it is compressed and encrypted with a password it receives from\r\nthe command and control (C2) server. Following additional commands from the C2 server, the data is uploaded to\r\nthe destination Secure File Transfer Protocol (SFTP) server.\r\nParallel Tactics\r\nWhen Lookout first disclosed research on DCHSpy to its Threat Advisory Service customers, we highlighted that\r\nMuddyWater leveraged a malicious VPN app that was distributed via Telegram as these new samples are. The\r\nTelegram channels advertise the malicious VPN applications to English and Farsi speakers, and feature themes\r\nand language consistent with views contrary to the Iranian regime. In previous reporting, the threat actor\r\nadvertised HideVPN and led victims to the following webpage:\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nPage 2 of 5\n\nThe malicious VPN distribution page from July 2024\r\nIn the discovery of this most recent version of DCHSpy, the actor is now advertising two malicious VPN services\r\ncalled EarthVPN and ComodoVPN. Below is an example of the ComodoVPN distribution page, which is a\r\nsimilarly simple webpage as we saw with the Hide VPN page above. Comodo VPN claims to be located in Canada\r\nand Earth VPN claims to be located in Romania. They list addresses and contact numbers from these countries\r\nwhich actually belong to random businesses in those respective countries.\r\nThe malicious VPN distribution page from June 2025, which is notably targeted at activists and\r\njournalists globally.\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nPage 3 of 5\n\nContinued Observation and Research\r\nThreat actors tied to the Iranian government are no strangers in the mobile surveillanceware landscape. Lookout’s\r\nresearch team tracks 17 unique mobile malware families tied to at least 10 Iranian APTs with activity spanning\r\nover a decade, along with multiple campaigns conducted with commodity spyware such as Metasploit, AndroRat\r\nand AhMyth. In addition to this continued activity around DCHSpy, Lookout researchers also disclosed BouldSpy\r\nin 2023. At the time, BouldSpy was a novel Android surveillanceware tool used by the Law Enforcement\r\nCommand of the Islamic Republic of Iran (FARAJA). \r\nThese most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the\r\nsituation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with\r\nIsrael. Lookout researchers have observed countless instances of nation-states monitoring threats to their authority\r\nand spying on enemy soldiers during times of conflict by quietly delivering malicious apps to their mobile devices\r\nthrough social engineering. Recent examples include the GuardZoo surveillanceware tied to the Houthis, an\r\nIranian proxy, and campaigns targeting Assad’s forces in Syria using the commodity malware SpyMax.\r\nLookout will continue to track MuddyWater’s activity and inform our threat intelligence customers of any relevant\r\nupdates. \r\nIndicators of Compromise (IoCs)\r\nSHA1s\r\n556d7ac665fa3cc6e56070641d4f0f5c36670d38\r\n7010e2b424eadfa261483ebb8d2cca4aac34670c\r\n8f37a3e2017d543f4a788de3b05889e5e0bc4b06\r\n9dec46d71289710cd09582d84017718e0547f438\r\n6c291b3e90325bea8e64a82742747d6cdce22e5b\r\n7267f796581e4786dbc715c6d62747d27df09c61\r\n67ab474e08890c266d242edaca7fab1b958d21d4\r\nf194259e435ff6f099557bb9675771470ab2a7e3\r\ncb2ffe5accc89608828f5c1cd960d660aac2971d\r\nCommand and Control:\r\nhttps://it1[.]comodo-vpn[.]com:1953\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nPage 4 of 5\n\nhttps://it1[.]comodo-vpn[.]com:1950\r\nhttps://r1[.]earthvpn[.]org:3413\r\nhttps://r2[.]earthvpn[.]org:3413\r\nhttp://192.121.113[.]60/dev/run.php\r\nhttp://79.132.128[.]81/dev/run.php\r\nn14mit69company[.]top\r\nhttps://hs1.iphide[.]net:751\r\nhttps://hs2.iphide[.]net:751\r\nhttps://hs3.iphide[.]net:751\r\nhttps://hs4.iphide[.]net:751\r\nhttp://194.26.213[.]176/class/mcrypt.php\r\nhttp://45.86.163[.]10/class/mcrypt.php\r\nhttp://46.30.188[.]243/class/mcrypt.php\r\nhttp://77.75.230[.]135/class/mcrypt.php\r\nhttp://185.203.119[.]134/DP/dl.php\r\nSource: https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nhttps://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE", "ETDA" ], "references": [ "https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware" ], "report_names": [ "lookout-discovers-iranian-dchsy-surveillanceware" ], "threat_actors": [ { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434471, "ts_updated_at": 1775792062, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ce41dbf8053d70f2e4018b525bf64a2285908096.pdf", "text": "https://archive.orkl.eu/ce41dbf8053d70f2e4018b525bf64a2285908096.txt", "img": "https://archive.orkl.eu/ce41dbf8053d70f2e4018b525bf64a2285908096.jpg" } }