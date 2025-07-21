Iranian hackers likely started a cyber espionage campaign just one week after the start of the Israel-Iran conflict in June.

In a new report published on July 21, cybersecurity firm Lookout shared findings about four new samples of DCHSpy, an Android surveillance tool leveraged by the Iranian cyber espionage group MuddyWater.

The new campaign appears to leverage lures centered around Starlink, the satellite internet service owned by Elon Musk’s SpaceX, to deploy the new DCHSpy versions.

Starlink offered internet access to Iranians during the imposed internet outage in July as a result of escalating hostilities between Iran and Israel.

Background on DCHSpy, a SandStrike Variant

DCHSpy is an Android surveillanceware family that has been active since at least 2024.

It shares infrastructure with another Android malware known as SandStrike, an Android surveillance tool first reported by Kaspersky in 2022 targeting practitioners of the Baháʼí Faith, a religion practiced in Iran and parts of the Middle East.

Like SandStrike, DCHSpy is likely developed and maintained by MuddyWater, an advanced persistent threat (APT) group believed to be affiliated with Iran's Ministry of Intelligence and Security.

DCHSpy typically uses political lures and disguises as legitimate apps, such as VPNs or banking applications.

DCHSpy, 2025 Version: New Lures, New Capabilities

While previous DCHSpy samples leveraged a seemingly legitimate VPN solution called HideVPN, the four new DCHSpy samples identified by Lookout impersonate two new VPN apps, EarthVPN and ComodoVPN.

The former claims to be a Romania-based VPN solution and the latter located in Canada.