- Researchers have found a new Spyware campaign mainly targeting Iranian Android VPN users
- DCHSPY is operated by the Iranian cyber-spying group Muddywater, which would have links with the Iranian Department of Intelligence and Security
- The campaign began a week after the start of the Israel-Iran conflict, while the VPN demand skyrocketed across the country
Researchers have discovered a new spy software campaign linked to Iran which mainly targets users of Android VPN.
The team of the security software supplier, Lookout, has found a new version of DCHSPY, Android spyware that emerges from legitimate VPN applications or other applications. This includes Starlink, a satellite internet connection service offered by SpaceX.
The malicious software campaign, according to experts’ conclusions, was deployed by the hacking group Muddywater only a week after the start of the Israeli -Iranian conflict – exactly when the VPN demand skyrocketed in Iran while citizens were looking for ways to bypass new Internet restrictions.
DCHSPY 2025 – What is the risk?
As Experts explain, DCHSPY is intrusive software that can collect sensitive user information such as WhatsApp data, contacts, SMS, files, location and call logs, while saving audio and taking photos.
Detected for the first time in July 2024, DCHSPY was maintained by Muddywater Hackers, a group that would have links with the Iranian Department of Intelligence and Security.
Experts have now discovered four new DCHSPY samples.
“These new samples show that Muddywater has continued to develop the surveillance software with new capacities – this time by showing the possibility of identifying and exfiltrating data from files of interest on the device as well as WhatsApp data,” explains Lookout.
More specifically, pirates seem to use two malicious VPN services, called Earthvpn and Comodovpn, as a means of disseminating malware.
HIDEVPN was another false VPN application previously used to deploy DCHSPY.
According to Iranian Information Security Analyst, Azam Jangrevi, the latest discoveries are a brutal reminder of how mobile surveillance is sophisticated and targeted.
“What is particularly worrying is its use of trust platforms like Telegram to distribute malicious APKs, often under the cover of tools intended to protect privacy,” Jangrevi in Techradar told.
The risk for Iranians is particularly high, since, as mentioned above, citizens have turned more and more to the best VPN applications as the Internet becomes more and more limited.
How to stay safe
Jangrevi recommends anyone who seeks to download a new VPN service, or any other application elsewhere, to be vigilant.
“Avoid downloading applications from unofficial sources, even if they seem to offer improved confidentiality. Get in the verified application stores, examine application authorizations and use mobile security solutions that can detect threats like DCHSPY,” said Jangrevi.
If you are in a high -risk region or profession such as journalism or activism, Jangrevi also suggests using encrypted hardware safety keys checked by independent researchers.
She said: “This incident highlights the need for greater awareness of mobile threat vectors and the importance of digital hygiene in an increasingly hostile cyber landscape.”
