Skip to content

Hide Navigation Hide TOC

DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)

DCHSpy is an Android spyware likely used by MuddyWater. DCHSpy uses political decoys and masquerades as legitimate applications, such as VPNs and banking applications, to trick victims into downloading the malware. Once downloaded, DCHSpy collects information from the device and exfiltrates the data to the command and control (C2) server.(Citation: Lookout_DCHSpy_July2025)

Cluster A Galaxy A Cluster B Galaxy B Level
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 1
Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 1
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 1
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 1
Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b) Attack Pattern Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 2
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 2