Skip to content

S1243 DCHSpy

DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.1

Item Value
ID S1243
Associated Names
Type MALWARE
Version 1.0
Created 08 October 2025
Last Modified 24 October 2025
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol DCHSpy has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.1
mobile T1532 Archive Collected Data DCHSpy has compressed and encrypted collected data with a password from the C2 server.1
mobile T1429 Audio Capture DCHSpy has captured audio from the device by taking control of the microphone.1
mobile T1533 Data from Local System DCHSpy has collected files of interest on the device, including WhatsApp files.1
mobile T1430 Location Tracking DCHSpy has collected location data.1
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location DCHSpy has masqueraded as legitimate applications, such as VPN and banking applications.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log DCHSpy has accessed the device’s call log.1
mobile T1636.003 Contact List DCHSpy has accessed the device’s contact list.1
mobile T1636.004 SMS Messages DCHSpy has accessed the device’s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.1
mobile T1636.005 Accounts DCHSpy has collected account names and their types from the device.1
mobile T1409 Stored Application Data DCHSpy has collected files of interest on the device, including WhatsApp files.1
mobile T1512 Video Capture DCHSpy has captured photos from the device by taking control of the camera.1

Groups That Use This Software

ID Name References
G0069 MuddyWater 1

References

  1. Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.