Researchers discovered DCHSpy, a spyware potentially linked to the Iranian MOIS, that masquerades as VPN applications and Starlink to target specific individuals. This malware collects extensive data including WhatsApp data, contacts, SMS, files, and location, and can record audio and take photos. First detected in July 2024, its variants are believed to be aimed at dissidents in light of the recent Israel-Iran conflict. The malware has been observed utilizing names related to popular services to lure victims, particularly English and Farsi speakers.
DCHSpy collects WhatsApp data, accounts, contacts, SMS, files, location, and call logs, and can record audio and take photos.
Early iterations of DCHSPy have been identified targeting English and Farsi speakers via Telegram channels using themes that run counter to the Iranian regime.
The newly identified DCHSpy variants are suspected to be deployed against adversaries in the wake of the recent conflict in the region.
One of the Earth VPN app samples has been found to be distributed in the form of APK files using the name "starlink_vpn(1.3.0)-3012 (1).apk," indicating the malware is being spread using Starlink-related lures.
Collection
[
|
...
]