MuddyWater Leveraging DCHSpy For Israel-Iran Conflict

Aug. 21, 2025, 7:57 p.m.

Description

Iranian cyber espionage group MuddyWater, affiliated with Iran's Ministry of Intelligence and Security, is utilizing DCHSpy, an Android surveillanceware tool, in the context of the Israel-Iran conflict. DCHSpy collects extensive data from infected devices, including WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos. The malware is distributed through malicious VPN apps advertised on Telegram channels. Recent samples show new capabilities, including data exfiltration from specific files and WhatsApp. The targeting may involve StarLink-related lures, exploiting Iran's internet outage. DCHSpy shares infrastructure with SandStrike, another Android malware targeting Baháʼí practitioners.

External References

https://www.lookout.com/threat-intelligence/article/lookout-discovers-iranian-dchsy-surveillanceware
https://otx.alienvault.com/pulse/68a7465ce5377b6e04b7d5aa
Tags
android
iran
vpn
telegram
2025-08-21
israel
dchspy
conflict
surveillanceware
sandstrike
starlink

Date

  • Created: Aug. 21, 2025, 4:16 p.m.
  • Published: Aug. 21, 2025, 4:16 p.m.
  • Modified: Aug. 21, 2025, 7:57 p.m.

Indicators

  • aa656a243d2008327e06fd5bbad919eea99aa271132dbaeabb146e22effbfd1b
  • a4913f52bd90add74b796852e2a1d9acb1d6ecffe359b5710c59c82af59483ec
  • 55e8b2d87f80ba609dcf793afc50f66e5967e40dbf54229a256709fa348f3351
  • 422819e7f665ae0d411cf2a877a2f7b6721abb8df44df852d2d0e76eb74331b7
  • 3a052d56706a67f918ed3a9acec9a2da428a20065e261d8e40b73badb4c9d7f4
  • 162ce2ad2611626988c8520366f1f76feca2c75505a3686c955ecc25f4946442
  • 79.132.128.81
  • 46.30.188.243
  • https://r1.earthvpn.org:3413
  • https://r2.earthvpn.org:3413
  • https://it1.comodo-vpn.com:1953
  • https://it1.comodo-vpn.com:1950
  • https://hs4.iphide.net:751
  • https://hs3.iphide.net:751
  • https://hs2.iphide.net:751
  • https://hs1.iphide.net:751
  • http://79.132.128.81/dev/run.php
  • http://77.75.230.135/class/mcrypt.php
  • http://46.30.188.243/class/mcrypt.php
  • http://45.86.163.10/class/mcrypt.php
  • http://194.26.213.176/class/mcrypt.php
  • http://192.121.113.60/dev/run.php
  • n14mit69company.top
Download all indicators here!

Attack Patterns

  • DCHSpy
  • SandStrike
  • MuddyWater

Additional Informations

  • Energy
  • Defense
  • Telecommunications
  • Government
  • Central African Republic
  • South Africa
  • Iran, Islamic Republic of
  • Israel
  • United States of America

Linked vulnerabilities

CVE-2025-4609

None
Published: