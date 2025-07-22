DMR News

Spyware Exploits Starlink Name to Deceive Iranians Seeking Unfiltered Internet

Jul 22, 2025

Cybersecurity firm Lookout has identified an Android-based spyware program impersonating the Starlink brand to trick internet users in Iran into installing malicious software.

Spyware Linked to Iranian State-Sponsored Group MuddyWater

The spyware, known as DCHSpy, is linked to MuddyWater, an Iranian state-sponsored hacking group connected to Iran’s Ministry of Intelligence and Security. The malware can steal call logs, SMS messages, location data, record audio, and capture photos.

New versions of DCHSpy pose as VPN applications named “Earth VPN” and “Comodo VPN,” capitalizing on a surge in VPN use in Iran after government-imposed internet blackouts aimed at quashing dissent.

Starlink Brand Used as a Phishing Lure

Lookout discovered DCHSpy samples using the Starlink name, likely exploiting recent reports of Starlink providing satellite internet access during Iranian outages. Over 100,000 Iranians reportedly use Starlink hardware smuggled into the country.

The spyware spreads primarily via messaging platforms like Telegram. Recent versions have improved abilities, including accessing files of interest and WhatsApp data.

Author’s Opinion

This case highlights how state-sponsored hackers weaponize trusted brand names and current geopolitical tensions to spread spyware. While Starlink provides vital internet access for Iranian users, its name being misused to distribute malware illustrates the complex intersection of technology, politics, and cybersecurity. Users should exercise caution and verify sources, especially in regions where internet freedom is restricted.

Featured image credit: DD News

