Four new samples of DCHSpy malware, disguised as Earth VPN and Comodo VPN apps, have been identified by Lookout security researchers. These samples emerged shortly after escalating tensions between Iran and Israel. The malware captures WhatsApp data, records audio and video, and searches files. Notably, one sample included 'Starlink' in its name, suggesting an attempt to exploit interest in SpaceX's internet service to lure victims. Lookout connects DCHSpy to MuddyWater, an Iranian espionage group targeting numerous sectors across various regions, while the malware signifies ongoing surveillance developments amidst the Middle Eastern conflict.
Lookout security researchers spotted four new DCHSpy malware samples disguised as VPN apps called Earth VPN and Comodo VPN beginning June 23, shortly after the Iran-Israel conflict commenced.
Finding 'Starlink' in one of the Earth VPN samples is significant because it indicates the malware deployers may be using Starlink lures to entice victims into downloading DCHSpy.
Islamoglu stated that the recent DCHSpy samples show continued development and usage of surveillanceware, especially as Iran intensifies crackdowns on citizens following the ceasefire with Israel.
Lookout attributes DCHSpy to MuddyWater, an espionage group linked to Iran's MOIS, which was sanctioned by the US in 2022 for cyberattacks against Albania and other nations.
Collection
[
|
...
]