Hackers believed to be affiliated with an Iranian intelligence agency are using a newly-discovered strain of the DCHSpy malware to snoop on adversaries.

Researchers from the cybersecurity firm Lookout detected the latest version of DCHSpy one week after Israel’s June bombing campaign targeting Iran’s nuclear program began. DCHSpy was first detected in 2024, but has since evolved and can now exfiltrate data from WhatsApp and files stored on devices, Lookout said.

The malware also collects contacts, SMS messages, location and call logs, and is able to use device cameras and microphones to take photos and record audio.

The new versions of the malware — which is believed to be tied to the Iranian cyber espionage group MuddyWater — rely on political lures and use websites containing links to malicious VPN and banking apps, Lookout says. One lure involved in the campaign centers on Starlink, which provided Iranians with web access after the country’s government imposed an internet blackout following Israel’s attacks.

MuddyWater, which is thought to be linked to Iran's Ministry of Intelligence and Security (MOIS), distributes the malware using fake URLs in Telegram and other messaging app channels, drawing targets into a prepared website hosting the malicious applications, according to the new research.

The lures are written in English and Farsi and focus on themes opposed by the Iranian regime. Many of the targets are activists and journalists worldwide.