Invaders
Back to Blog
INVADERS
BlogGet Protected
  1. Home
  2. Blog
  3. Threat Hunting & Intel
  4. Iran-Linked Android Spyware Masquerading as VPN and Starlink Apps
Threat Hunting & Intel

Iran-Linked Android Spyware Masquerading as VPN and Starlink Apps

Lucas OliveiraLucas OliveiraResearch
August 12, 2025·4 min read

Summarize with:

ChatGPTClaudePerplexityGoogle AI
Iran-Linked Android Spyware Masquerading as VPN and Starlink Apps

Share

Recent cybersecurity investigations have unveiled DCHSpy, a sophisticated Android spyware campaign tied to Iran's Ministry of Intelligence and Security (MOIS). Masquerading as legitimate VPN tools and Starlink connectivity apps, this malware is engineered to infiltrate devices of individuals deemed adversaries of the Iranian regime.

Technical Attribution and Threat Actor

  • DCHSpy is attributed to the Iranian state-sponsored threat group MuddyWater, also known under aliases such as:

    • Boggy Serpens
    • Cobalt Ulster
    • Earth Vetala
    • ITG17
    • Mango Sandstorm / Mercury
    • Seedworm
    • Static Kitten
    • TA450
    • Yellow Nix
  • The spyware was first flagged by Lookout Security in July 2024, shortly after heightened tensions between Israel and Iran.

Attack Vectors and Target Demographics

Distribution Channels

  • DCHSpy spreads primarily via Telegram channels—bypassing traditional app store security.
  • The malware disguises itself as:
    • Earth VPN
    • Comodo VPN
    • Hide VPN
    • Starlink-branded APKs, such as starlink_vpn(1.3.0)-3012 (1).apk

Psychological Lures

  • Starlink branding exploits Iranian users' interest in unrestricted internet access following Starlink's brief activation and subsequent ban in the country.

Primary Targets

  • Farsi- and English-speaking users
  • Journalists, activists, and dissidents opposing Iranian government policies

Capabilities and Impact

DCHSpy is a modular Android trojan capable of extensive surveillance operations, including:

  • WhatsApp data extraction
  • Access to user accounts and contact lists
  • Harvesting SMS messages, call logs, and stored files
  • Real-time location tracking
  • Ambient audio recording and unauthorized photograph capture

Technical Parallels

  • Shares code and behavioral traits with SandStrike, a prior VPN-themed Android spyware discovered in 2022.

Regional Context and Ongoing Threats

The rise of DCHSpy aligns with escalating digital repression in Iran, following the Israel-Iran conflict and subsequent partial ceasefire.

Other Notable Android Spyware Campaigns in the Region:

  • AridSpy
  • BouldSpy
  • GuardZoo
  • RatMilad
  • SpyNote

This indicates a wider strategy of mobile surveillance targeting civil society actors across the Middle East.

Conclusion

The DCHSpy campaign exemplifies how nation-state actors exploit popular digital privacy tools to execute covert surveillance. By posing as VPN and Starlink apps, Iranian operatives are targeting vulnerable communities seeking secure communication.

User Recommendations:

  • Avoid downloading APKs from untrusted sources
  • Use official app stores only
  • Stay updated on security advisories
  • Leverage mobile security tools that detect sideloaded threats

FAQs

What is DCHSpy malware?

DCHSpy is Iranian-linked Android spyware disguised as VPN and Starlink apps, used for surveillance.

How does DCHSpy spread?

It is typically distributed via Telegram and sideloaded through malicious APK files.

Who is behind DCHSpy?

The malware is attributed to MuddyWater, a cyber-espionage group linked to Iran's Ministry of Intelligence and Security.

What can DCHSpy access on a phone?

It can extract contacts, WhatsApp data, SMS, call logs, photos, ambient audio, and GPS location.

How can I protect myself?

Use apps only from official sources, be wary of unexpected downloads, and install reputable mobile security software.

Tags:
cyberthreads
L

Written by

Lucas Oliveira

Research

A DevOps engineer and cybersecurity enthusiast with a passion for uncovering the latest in zero-day exploits, automation, and emerging tech. I write to share real-world insights from the trenches of IT and security, aiming to make complex topics more accessible and actionable. Whether I’m building tools, tracking threat actors, or experimenting with AI workflows, I’m always exploring new ways to stay one step ahead in today’s fast-moving digital landscape.

Hot TopicsLast 7 days
1
#Authentication Bypass
13p
2
#AI Security
11p
3
#Account Takeover
7p
4
#Active Exploitation
4p
5
#Access Control
3p
View all tags →
Categories14
All Articlesvulnerability36Threat Hunting & Intel20Cybercrime6Cloud & Application Security5
Stay Updated

Get the latest cybersecurity insights in your inbox.

You Might Also Like

More in Threat Hunting & Intel →
Oracle PeopleSoft alert follows breach claims at 100+ organizationsThreat Hunting & Intel

Oracle PeopleSoft alert follows breach claims at 100+ organizations

Oracle PeopleSoft alert follows breach claims at 100+ organizations Claims of mass compromise across Oracle PeopleSoft environments were already serious on June...

Lucas OliveiraJun 117m
LLMShare Turns Trusted AI Domains Into Malware Delivery InfrastructureThreat Hunting & Intel

LLMShare Turns Trusted AI Domains Into Malware Delivery Infrastructure

LLMShare Turns Trusted AI Domains Into Malware Delivery Infrastructure | 2026 Executive Summary Push Security disclosed a live campaign it tracks as LLMShare, w...

Lucas OliveiraJun 37m
GlassWorm takedown shows how developer malware becomes supply-chain riskThreat Hunting & Intel

GlassWorm takedown shows how developer malware becomes supply-chain risk

GlassWorm takedown shows how developer malware becomes supply-chain risk Executive Summary The coordinated disruption of GlassWorm on May 26, 2026 is useful bec...

Lucas OliveiraMay 306m
INVADERS

Providing enterprise-grade cybersecurity solutions to protect organizations from evolving digital threats.

FacebookTwitterLinkedIn

Services

  • Web App Vulnerability Reports
  • Threat Hunting & Intelligence
  • Cybercrime & APT Tracking
  • Incident Response & Remediation

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Security Policy

Company

  • About Us
  • Careers
  • Blog
  • Press

© 2026 Invaders Cybersecurity. All rights reserved.

PrivacyTermsCookies