Static Kitten Observed Using DCHSpy Android Malware

Verticals Targeted: None specified
Regions Targeted: Iran, Middle East
Related Families: None specified

Executive Summary

DCHSpy is an Android surveillanceware linked to Iran’s Static Kitten group, targeting Iranian users with fake VPN and Starlink apps to steal sensitive data amid regional conflict. This malware, active since October 2023, exploits social engineering to access WhatsApp, location data, and personal files.

Key Takeaways

• DCHSpy, attributed to Iran’s Static Kitten, uses deceptive VPN and Starlink-themed apps to target Iranian mobile users.  
• The malware exfiltrates sensitive data, including WhatsApp messages, location, photos, and call logs.  
• The campaign leverages phishing and social engineering, with lures mimicking legitimate services like Starlink.  
• Observed samples show enhanced capabilities post-October 2023, aligning with the onset of regional conflict.  

What is DCHSpy?

Lookout’s Threat Intelligence team uncovered DCHSpy, a sophisticated Android surveillanceware attributed to Iran’s Ministry of Intelligence and Security (MOIS)-linked Static Kitten threat group. This malware, active amid heightened regional tensions following the onset of conflict with Israel, targets Iranian mobile users through deceptive applications masquerading as VPNs and Starlink services. The campaign employs social engineering to trick users into installing malicious APKs, enabling extensive data exfiltration from compromised devices.  

DCHSpy’s primary infection vector involves phishing campaigns that distribute fake apps via Telegram channels and actor-controlled websites. These apps, often branded as VPNs or Starlink services, exploit the demand for unrestricted internet access in Iran, where censorship is prevalent. Lookout identified four new samples, with enhanced capabilities compared to earlier iterations, suggesting active development in response to geopolitical events. The malware’s lures are tailored to deceive users seeking secure communication or internet access, a tactic consistent with Static Kitten’s playbook of exploiting regional instability.  

Once installed, DCHSpy requests extensive permissions to access sensitive device functions. It can exfiltrate WhatsApp messages, call logs, photos, videos, contacts, and precise location data. The malware also captures screenshots, records audio via the device’s microphone, and monitors browser activity. Its command-and-control (C2) infrastructure, primarily hosted on Iranian IP ranges, facilitates data collection and remote control. Analysis of the samples reveals hardcoded C2 domains and unencrypted traffic, indicating moderate operational security, though the malware’s effectiveness lies in its targeted social engineering.  

The campaign’s timing, coinciding with the Israel-Iran conflict, suggests a strategic focus on surveilling domestic users, possibly to monitor dissent or gather intelligence. The use of Starlink-themed lures is particularly notable, as it capitalizes on the service’s appeal in regions with restricted internet access. This aligns with Static Kitten’s history of leveraging topical lures to maximize victim engagement.  

DCHSpy does not appear to exploit specific CVEs, relying instead on user interaction to gain access. The absence of these apps on the Google Play Store underscores the role of sideloading and third-party distribution channels in the campaign’s success. Organizations and individuals in the region should exercise caution with unsolicited app download links, particularly those promoted via social media or messaging platforms. The malware’s reliance on hardcoded infrastructure suggests potential for tracking and disruption.   

Who is Static Kitten?

Static Kitten, also known as MuddyWater, Mercury, Mango Sandstorm, Seedworm, TEMP.Zagros, and TA450, is an Iranian government-sponsored hacking group active since 2017.  Static Kitten primarily employs spear-phishing emails to deliver malicious links or attachments, often impersonating trusted entities like government ministries. The group uses PowerShell-based malware, such as NTSTATS and CloudSTATS, to gain persistent access to targeted networks. They deploy MSI installers and remote management tools like ScreenConnect to steal sensitive information or download additional malware. Static Kitten also utilizes file-storage services like Onehub for command and control, often leveraging geopolitical themes, such as Middle Eastern politics, to craft convincing lures. Their operations focus on espionage, with tactics evolving to include data exfiltration and network reconnaissance while maintaining stealth through custom malware.

Static Kitten predominantly targets government agencies, telecommunications, and organizations in the Middle East, particularly in the United Arab Emirates, Kuwait, and Israel. Their activities also extend to Eurasia and Central Asia, focusing on sectors like defense, oil, and natural gas, where they aim to gather intelligence or disrupt operations. Static Kitten is assessed to be linked to Iran’s Ministry of Intelligence and Security (MOIS). Their operations align with Iran’s geopolitical objectives, including espionage against regional adversaries and entities involved in diplomatic normalization efforts, such as those between Arab states and Israel.

IOCs

PolySwarm has a sample of DCHSpy.

3a052d56706a67f918ed3a9acec9a2da428a20065e261d8e40b73badb4c9d7f4

You can use the following CLI command to search for all DCHSpy samples in our portal:

$ polyswarm link list -f DCHSpy

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.