MuddyWater, an Iranian cyber espionage group linked to Iran's Ministry of Intelligence and Security, is actively deploying a sophisticated Android surveillanceware tool known as DCHSpy amid the ongoing Israel-Iran conflict. DCHSpy is distributed primarily through malicious VPN applications promoted on Telegram channels, exploiting the trust users place in VPN services, especially in regions experiencing internet disruptions such as Iran. The malware is engineered to harvest a broad spectrum of sensitive data from infected Android devices, including WhatsApp messages and metadata, user accounts, contact lists, SMS messages, files, geolocation data, and call logs. Additionally, it possesses capabilities to record audio and capture photographs covertly, enabling comprehensive surveillance of targets. Recent variants of DCHSpy have enhanced data exfiltration features, specifically targeting certain files and WhatsApp data, indicating a focus on intercepting communication and sensitive information. The malware infrastructure overlaps with SandStrike, another Android malware targeting Bahá'í practitioners, suggesting shared development resources or operational coordination. The threat actor appears to be leveraging StarLink-related lures, capitalizing on Iran's internet outages to entice users into installing compromised VPN apps. The tactics, techniques, and procedures (TTPs) employed by MuddyWater align with several MITRE ATT&CK techniques, including spearphishing via social media (T1587.001), user execution (T1204.002), exploitation of remote services (T1608.001), and use of compromised infrastructure (T1583.001). This campaign represents a targeted espionage effort focused on Android users in conflict zones, aiming to gather intelligence through pervasive device surveillance.

For European organizations, the direct operational impact of DCHSpy is currently limited due to its targeted nature focusing on the Israel-Iran conflict and Iranian users. However, the presence of such advanced surveillanceware highlights the evolving threat landscape where geopolitical conflicts drive sophisticated cyber espionage campaigns that could spill over or inspire similar attacks in Europe. European entities with personnel or assets in the Middle East, particularly those involved in diplomatic, defense, or intelligence sectors, may face indirect risks through compromised communications or data leakage. Additionally, the use of Telegram and malicious VPN apps as infection vectors underscores the risk to European users who rely on these platforms for secure communication, especially expatriates or diaspora communities connected to the region. The malware’s ability to exfiltrate sensitive communications and location data poses confidentiality and privacy risks, potentially enabling espionage or targeted attacks against individuals or organizations with European ties. Furthermore, the shared infrastructure with SandStrike suggests a broader campaign that could evolve to target other groups, including those in Europe, especially minority communities or activists. The exploitation of trust in VPN services and social media channels also signals a need for heightened vigilance among European users and organizations regarding supply chain and social engineering attacks.

European organizations should implement targeted defenses against Android surveillanceware like DCHSpy by adopting the following measures: 1) Enforce strict mobile device management (MDM) policies that restrict installation of applications from unofficial sources and mandate the use of vetted VPN providers; 2) Educate users about the risks of downloading VPN apps or other software from untrusted Telegram channels or third-party app stores, emphasizing verification of app legitimacy; 3) Deploy advanced mobile threat defense (MTD) solutions capable of detecting and blocking surveillanceware behaviors such as unauthorized audio recording, camera access, and data exfiltration; 4) Monitor network traffic for unusual outbound connections, especially to known malicious infrastructure linked to MuddyWater and SandStrike; 5) Implement threat intelligence sharing with European cybersecurity centers to track emerging indicators of compromise related to DCHSpy and associated campaigns; 6) For organizations with personnel in or connected to the Middle East, conduct regular security awareness training focused on social engineering tactics used in conflict-driven espionage; 7) Encourage the use of end-to-end encrypted communication platforms with strong security postures and avoid reliance on potentially compromised VPN services; 8) Maintain up-to-date security patches on mobile devices and operating systems to reduce exploitation vectors; 9) Collaborate with law enforcement and cybersecurity agencies to report and analyze suspicious VPN apps and Telegram channels distributing malware.