Cyber-security firm Lookout has identified four freshly built samples of the Android surveillanceware known as DCHSpy, linking them to Iran-backed hacking group MuddyWater. The new variants surfaced on 23 June, roughly a week after Israel’s strikes on Iranian facilities, and mark the most intensive wave of DCHSpy activity since the malware family was first spotted in 2024. The spyware is masquerading as virtual-private-network applications EarthVPN and ComodoVPN and, in one case, carries the file name “starlink_vpn(1.3.0).apk,” hijacking interest in SpaceX’s Starlink service, which many Iranians use to bypass state censorship. Distribution is occurring largely through Telegram channels and other direct-message platforms. Once installed, DCHSpy gains extensive access to the device, siphoning WhatsApp messages, contacts, SMS texts, call logs, stored files and location data while covertly activating the microphone and camera for real-time surveillance. Stolen information is compressed, password-protected and exfiltrated to attacker-controlled servers via secure file-transfer protocols. Lookout attributes the campaign to MuddyWater—an operation the U.S. has tied to Iran’s Ministry of Intelligence and Security—citing shared infrastructure with earlier malware such as SandStrike. Researchers say the new samples demonstrate continued investment in mobile espionage tools as Tehran tightens control at home and monitors regional adversaries. Security analysts warn activists, journalists and other high-risk users to obtain software only from official app stores and to verify VPN providers before installation.