Skip to content

Hide Navigation Hide TOC

DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)

DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025)

Cluster A Galaxy A Cluster B Galaxy B Level
Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern 1
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2