S1243: DCHSpy
DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.[1]
Analyst context for executives and security teams
DCHSpy matters because it is Android spyware that masquerades as legitimate-looking apps, including VPNs and banking applications, and is described by ATT&CK as collecting device information and exfiltrating it to a command-and-control server. For leaders, the practical issue is mobile trust: users may install an app that appears relevant or legitimate, while the organization loses visibility into sensitive communications, contacts, accounts, location, audio, video, SMS, call logs, and locally stored data.
Executive priority
Prioritize DCHSpy as a mobile security and incident-readiness concern where Android devices are used for executive communications, field operations, regulated data access, finance, defense, oil and gas, government, or other sensitive workflows. The ATT&CK relationship says DCHSpy is likely used by MuddyWater, and the related group description references targeting across government and private sectors. Executive questions should focus on whether mobile devices are managed, whether risky app installs are governed, whether mobile telemetry is available to the SOC, and whether IR can preserve and review Android evidence without relying only on endpoint controls built for desktops.
Technical view
ATT&CK provides no official detection text or tactics for DCHSpy, so defenders should validate coverage through the related techniques. On Android, review controls and telemetry for suspicious application masquerading, excessive or sensitive permissions, access to contacts, SMS, call logs, accounts, microphone, camera, location, local files, archived data, and outbound application-layer C2-style communications. Because DCHSpy is described as using political decoys and masquerading as VPN or banking apps, app identity, package metadata, install source, icon/name similarity, and permission behavior are important triage pivots.
Likely telemetry
- Android application inventory, package names, app labels, icons, signing/certificate metadata, versions, and install source
- Mobile device management or enterprise mobility management records for installed applications and permission grants
- Android permission usage or audit data for microphone, camera, location, contacts, SMS, call log, accounts, and storage access
- Network telemetry from mobile devices, including DNS, HTTP/S, proxy, VPN, and other application-layer protocol metadata where available
- Device file and storage access indicators, especially access to external storage or locally stored sensitive data
Detection direction
- Build detections around Android apps that combine masquerading indicators with high-risk permissions rather than treating any single permission as conclusive.
- Validate whether the SOC can see mobile app installs, permission changes, sensitive API use, and outbound network behavior; many organizations lack this telemetry for personal or lightly managed devices.
- Tune for false positives from legitimate VPN, banking, camera, recorder, messaging, and productivity apps by comparing publisher/signing metadata, expected install sources, business justification, and observed permission use.
- Use the relationship-driven technique set as a coverage checklist: Stored Application Data, Audio Capture, Location Tracking, Application Layer Protocol, Video Capture, Archive Collected Data, Data from Local System, Call Log, Contact List, SMS Messages, Accounts, and Match Legitimate Name or Location.
- For incident response, preserve app metadata, permission state, relevant network history, and user-install context before removing the application, because ATT&CK does not provide a ready-made detection analytic for this malware.
Mitigation priorities
- Enforce managed Android app installation policies for corporate devices, with special scrutiny for apps posing as VPNs, banking apps, or other trusted services.
- Require review and least-privilege handling of sensitive mobile permissions such as microphone, camera, location, contacts, SMS, call logs, accounts, and storage.
- Maintain mobile device inventory and ensure high-risk users and sensitive operational roles are covered by mobile management and monitoring, not just desktop EDR.
- Educate users to report politically themed decoys or unexpected prompts to install VPN or banking applications, while avoiding reliance on awareness alone.
- Prepare mobile IR procedures for collection, containment, and evidence review of Android devices, including cases where data may already have been archived and exfiltrated over common application-layer protocols.
Analyst notes and limits
This take is based on ATT&CK S1243 DCHSpy, its official description, the Lookout external reference listed by MITRE, and ATT&CK relationships showing likely use by MuddyWater and use of multiple Android-relevant mobile techniques. The strongest defensive value is using the related techniques as a practical validation map for mobile telemetry and controls.
ATT&CK provides no official detection guidance, no tactics, no aliases, and no labels for this object. The supplied data supports Android only. Local risk depends on whether Android devices are used for sensitive work, how tightly apps and permissions are managed, and what mobile telemetry is actually available to security teams.
DCHSpy
DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.003 | Contact List Sub-technique | DCHSpy has accessed the device’s contact list.CitationLookout_DCHSpy_July2025 |
| Mobile | T1512 | Video Capture | DCHSpy has captured photos from the device by taking control of the camera.CitationLookout_DCHSpy_July2025 |
| Mobile | T1430 | Location Tracking | DCHSpy has collected location data.CitationLookout_DCHSpy_July2025 |
| Mobile | T1429 | Audio Capture | DCHSpy has captured audio from the device by taking control of the microphone.CitationLookout_DCHSpy_July2025 |
| Mobile | T1636.004 | SMS Messages Sub-technique | DCHSpy has accessed the device’s SMS messages, including messages that were in the inbox, sent, draft, outbox, failed, and queued.CitationLookout_DCHSpy_July2025 |
| Mobile | T1437 | Application Layer Protocol | DCHSpy has uploaded collected data to a Secure File Transfer Protocol (SFTP) server.CitationLookout_DCHSpy_July2025 |
| Mobile | T1409 | Stored Application Data | DCHSpy has collected files of interest on the device, including WhatsApp files.CitationLookout_DCHSpy_July2025 |
| Mobile | T1532 | Archive Collected Data | DCHSpy has compressed and encrypted collected data with a password from the C2 server.CitationLookout_DCHSpy_July2025 |
| Mobile | T1636.005 | Accounts Sub-technique | DCHSpy has collected account names and their types from the device.CitationLookout_DCHSpy_July2025 |
| Mobile | T1636.002 | Call Log Sub-technique | DCHSpy has accessed the device’s call log.CitationLookout_DCHSpy_July2025 |
| Mobile | T1533 | Data from Local System | DCHSpy has collected files of interest on the device, including WhatsApp files.CitationLookout_DCHSpy_July2025 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | DCHSpy has masqueraded as legitimate applications, such as VPN and banking applications.CitationLookout_DCHSpy_July2025 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e311c4834227… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lookout_DCHSpy_July2025
Albrecht, J., Islamoglu, A. (2025, July 21). Lookout Discovers Iranian APT MuddyWater Leveraging DCHSpy During Israel-Iran Conflict . Retrieved September 19, 2025.
Open source URL -
[2]
mitre-attack S1243Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.