Full Report
Researchers from the cybersecurity firm Lookout detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began. DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said.
Analysis Summary
# Threat Actor: Unnamed Iranian Intelligence Affiliated Actor (Associated with MuddyWater)
## Attribution & Identity
The actor is believed to be affiliated with an **Iranian intelligence agency** and is potentially tied to the Iranian cyber espionage group **MuddyWater**. MuddyWater is thought to be linked to **Iran's Ministry of Intelligence and Security (MOIS)**.
## Activity Summary
The activity involved the introduction of a newly-discovered, evolved strain of the espionage malware **DCHSpy**, detected shortly after Israel’s June bombing campaign targeting Iran’s nuclear program commenced. The threat actor uses politically charged lures (written in English and Farsi) centered on themes opposed by the Iranian regime, such as the temporary internet access provided by Starlink during Iranian internet blackouts. These lures direct victims to websites hosting malicious VPN and banking applications disguised as legitimate tools.
## Tactics, Techniques & Procedures
- **Delivery Mechanism:** Distribution via fake URLs shared in **Telegram** and other messaging app channels.
- **Social Engineering:** Use of political lures focusing on resistance themes (e.g., Starlink access) to trick targets into downloading malicious applications.
- **Malicious Application Distribution:** Hosting malicious **VPN and banking apps** on compromised or crafted websites.
- **Data Exfiltration:** Specifically targeting and exfiltrating **WhatsApp data**.
- **Espionage Capabilities:** Collecting contacts, SMS messages, location data, call logs, and utilizing device cameras and microphones to capture photos and audio recordings.
## Targeting
- **Sectors:** Activists and journalists worldwide (implied targeting of individuals critical of the Iranian regime).
- **Geography:** Worldwide, focusing on adversaries of the Iranian regime.
- **Victims:** Activists and journalists worldwide.
## Tools & Infrastructure
- **Malware Families Used:** **DCHSpy** (newly evolved strain, first detected in 2024).
- **Infrastructure (C2, domains, IPs):** Malicious websites hosting application installers, distributed via Telegram links (Specific URLs/IPs not provided in the context).
## Implications
This activity demonstrates a focused, post-geopolitical-event cyber espionage operation by an Iranian actor targeting dissidents and opponents outside Iran. The evolution of DCHSpy to specifically target WhatsApp data highlights a maturation in intelligence-gathering capabilities focused on highly sensitive communications. The use of timely political lures indicates sophisticated context-aware profiling of targets.
## Mitigations
- Exercise extreme caution when downloading VPNs or financial applications from links received through messaging apps, even if the context seems politically relevant or timely.
- Implement multi-factor authentication on critical messaging applications like WhatsApp.
- Maintain up-to-date anti-malware solutions capable of detecting mobile surveillance ware like DCHSpy.
- Educate potential high-risk targets (activists, journalists) about state-sponsored phishing luring techniques related to current events.