Hackers believed to be affiliated with an Iranian intelligence agency are using a newly-discovered strain of the DCHSpy malware to snoop on adversaries. Researchers from the cybersecurity firm Lookout detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began. DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said. The malware also collects contacts, SMS messages, location and call logs, and is able to use device cameras and microphones to take photos and record audio.
DCHSpy has rapidly progressed from a simple cyber threat to a serious espionage tool. Its latest form, uncovered in the wake of heightened regional tensions, enables attackers to stealthily extract sensitive content not just from WhatsApp, but from a range of files stored on compromised devices. Researchers note that DCHSpy is engineered to harvest an array of information, including contacts, SMS, location data, and call logs, and can even surreptitiously activate cameras and microphones to capture photos and audio recordings. The malware’s evolving capabilities highlight its role in sophisticated surveillance campaigns, reflecting the escalating technical prowess of state-aligned cyber actors in the region.[1]
The new versions of the malware, which is believed to be tied to the Iranian cyber espionage group MuddyWater, rely on political lures and use websites containing links to malicious VPN and banking apps, Lookout says. One lure involved in the campaign centers on Starlink, which provided Iranians with web access after the country’s government imposed an internet blackout following Israel’s attacks.
Starlink is a satellite internet provider that gained prominence in Iran after providing citizens with alternative web access during state-imposed internet blackouts following Israeli attacks. By referencing Starlink, bad actors exploit public interest and hope among Iranians for uncensored connectivity, using the topic as bait to entice targets into downloading malicious VPN and banking applications. This social engineering tactic has proven effective in drawing in a broad spectrum of users seeking secure communication channels amid widespread censorship and surveillance efforts.
MuddyWater, which is thought to be linked to Iran's Ministry of Intelligence and Security (MOIS), distributes the malware using fake URLs in Telegram and other messaging app channels, drawing targets into a prepared website hosting the malicious applications, according to the new research.
MuddyWater, an espionage group widely believed to be affiliated with MOIS, has become infamous for its cyber operations targeting perceived adversaries of the Iranian regime. Employing sophisticated social engineering tactics, MuddyWater frequently leverages fake websites, phishing links, and malicious applications to infiltrate devices and exfiltrate sensitive data. Their campaigns often focus on politically charged themes, using lures crafted in both English and Farsi to appeal to a wide range of targets, including activists and journalists around the globe. The group’s operations are distinguished by the use of advanced malware—such as the recently evolved DCHSpy—that is capable not only of extracting files and WhatsApp data, but also of accessing contacts, location data, call logs, and even activating device cameras and microphones. Through these methods, MuddyWater exemplifies the growing threat of state-backed cyber espionage in the modern geopolitical landscape.
The current communication lures are written in English and Farsi and focus on themes opposed by the Iranian regime. Many of the targets are activists and journalists worldwide.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://therecord.media/malware-exfiltrates-whatsapp-iran-muddywater/
Comments