MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

Pierluigi Paganini
July 21, 2025

Iran-linked APT MuddyWater is deploying new DCHSpy spyware variants to target Android users amid the ongoing conflict with Israel.

Lookout researchers observed Iran-linked APT MuddyWater  (aka SeedWorm, TEMP.Zagros, and Static Kitten) is deploying a new version of the DCHSpy Android spyware in the context of the Israel-Iran conflict.

The first MuddyWater campaign was observed in late 2017, when the APT group targeted entities in the Middle East.

Experts named the campaign “MuddyWater” due to the confusion surrounding the attribution of a wave of attacks carried out between February and October 2017. These attacks targeted entities in Saudi Arabia, Iraq, Israel, the United Arab Emirates, Georgia, India, Pakistan, Turkey, and the United States. Over the years, the group has evolved by adding new attack techniques to its arsenal and has also expanded its targeting to include European and North American countries.

The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors.

In January 2022, US Cyber Command (USCYBERCOM) officially linked the MuddyWater APT group to Iran’s Ministry of Intelligence and Security (MOIS).

MuddyWater targets organizations in multiple sectors, including telecommunications, defense, local government, and oil and natural gas in Asia, Africa, Europe, and North America.

DCHSpy is Android spyware linked to Iran’s MuddyWater APT, targeting sectors like telecom, defense, and energy worldwide. The malicious code steals contacts, messages, audio, and WhatsApp data, and uses tactics seen in SandStrike malware. Active since 2024, it’s now resurfacing amid regional conflict, often delivered via Telegram links.

After Israel’s strikes, Lookout found new DCHSpy samples. MuddyWater added features to steal WhatsApp data and scan files. One fake VPN app posed as Starlink, likely exploiting recent interest. The sample analyzed by the mobile security firm maintains its surveillance capabilities, takes control of the microphone and camera, collects data, encrypts it with a C2-sent password, then uploads it via SFTP after further C2 instructions.

“Lookout researchers discovered that the hardcoded command and control (C2) IP address in the SandStrike sample was also used multiple times to deploy a PowerShell RAT attributed to MuddyWater. Notably, the SandStrike sample also contained a malicious VPN configuration file tied to threat actor controlled infrastructure.” reads the report published by Lookout. “DCHSpy uses similar tactics and infrastructure as SandStrike. It is distributed to targeted groups and individuals by leveraging malicious URLs shared directly over messaging apps such as Telegram. “

MuddyWater spreads DCHSpy via fake VPN apps shared on Telegram, targeting English and Farsi users with anti-regime themes. Initially, using HideVPN, they now push EarthVPN and ComodoVPN, falsely claiming ties to Canada and Romania. These sites list fake contact info from unrelated businesses to appear legitimate.

Lookout tracked 17 malware families from 10 different Iranian APTs over the past decade. Beyond DCHSpy, they also revealed BouldSpy in 2023, a surveillance tool used by Iran’s law enforcement (FARAJA). These groups also leverage tools like Metasploit, AndroRat, and AhMyth in campaigns.

“These most recent samples of DCHSpy indicate continued development and usage of the surveillanceware as the situation in the Middle East evolves, especially as Iran cracks down on its citizens following the ceasefire with Israel. Lookout researchers have observed countless instances of nation-states monitoring threats to their authority and spying on enemy soldiers during times of conflict by quietly delivering malicious apps to their mobile devices through social engineering.” concludes. “Recent examples include the GuardZoo surveillanceware tied to the Houthis, an Iranian proxy, and campaigns targeting Assad’s forces in Syria using the commodity malware SpyMax.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, malware)