Skip to content

Hide Navigation Hide TOC

DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)

DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 2