Researchers have uncovered new infrastructure linked to Israeli spyware vendor Candiru and its advanced DevilsTongue malware, which continues to pose severe threats despite sanctions and legal actions. The spyware is designed to infiltrate high-profile targets such as politicians and journalists, exploiting zero-day vulnerabilities and multiple infection vectors. Insikt Group identified eight infrastructure clusters, with at least five still active in regions including Hungary and Saudi Arabia. Some clusters manage victim-facing systems directly, while others operate through intermediaries or the Tor network. Activity was also traced to Indonesia until late 2024 and to clusters in Azerbaijan, though their status remains uncertain. The findings highlight Candiru’s resilience, sophistication, and persistent ability to threaten global privacy and security.
A joint investigation by Microsoft Threat Intelligence Center and Citizen Lab has uncovered ongoing activity tied to the DevilsTongue spyware, developed by the Israeli-based spyware vendor Candiru (also known as Sourgum). The malware leverages zero-day vulnerabilities in Windows and common web browsers to infiltrate targeted systems. Despite previous patches and takedown efforts, Candiru’s spyware infrastructure remains active and continues to pose a high risk to political, human rights, and media sectors globally.
The DevilsTongue spyware is delivered through sophisticated exploit chains that take advantage of vulnerabilities in Windows operating systems and widely used web browsers. Once deployed, it provides attackers with deep access to infected devices, enabling the theft of sensitive files, communications, and credentials. The spyware can decrypt and exfiltrate Signal messages, extract stored cookies and login data from browsers such as Internet Explorer, Chrome, Safari, Firefox, and Opera, and harvest credentials directly from LSASS. It also has the ability to access and exfiltrate data from popular online platforms including Twitter, Gmail, Yahoo, Facebook, Vkontakte, Mail.ru, and Odnoklassniki. Beyond passive collection, DevilsTongue can impersonate compromised victims by distributing malicious links to their contacts across social platforms, further expanding its reach. Supporting this activity is an extensive command-and-control infrastructure, with over 750 domains mimicking legitimate organizations such as media outlets, advocacy groups, and civil society movements like Black Lives Matter and Amnesty International, which serve both as infection vectors and control channels.
Malware Capabilities:
DevilsTongue is a stealthy, modular spyware framework with both user-mode and kernel-mode components. Its multi-threaded architecture allows operators to load different modules based on the target environment, enabling flexible reconnaissance and surveillance activities. The spyware can perform a wide range of actions, including system profiling, credential harvesting, and monitoring of communications, making it a powerful tool for long-term surveillance operations.
Persistence and Evasion:
To maintain persistence, DevilsTongue leverages COM hijacking, overwriting legitimate registry keys to ensure execution at system startup. For evasion, it abuses a signed third-party driver (physmem.sys) that grants kernel-level memory access and facilitates API call proxying. This technique helps the malware bypass traditional security solutions, complicating detection and forensic analysis.
Data Exfiltration:
Once deployed, DevilsTongue prioritizes extensive data theft. It can steal credentials, browser session data, and sensitive communications, including encrypted messages from platforms such as Skype, Outlook, Telegram, Facebook, Gmail, and Signal. Stolen information is securely transmitted back to attacker-controlled command-and-control (C2) infrastructure, enabling continuous monitoring of victims.
Initial Access Vectors:
Candiru operators employ multiple infection vectors to deploy DevilsTongue, including spearphishing emails, watering hole attacks, malicious documents, and social engineering with weaponized links. In some cases, attackers have also relied on man-in-the-middle attacks or direct physical access to deliver payloads. These techniques are tailored to the victim profile, often targeting high-value individuals in government, media, and civil society.
Zero-Day Exploitation:
DevilsTongue has a history of leveraging zero-day vulnerabilities to gain initial access and maintain stealth. Documented examples include:
Conclusion:
The DevilsTongue spyware represents a highly advanced and persistent surveillance threat, leveraging zero-day vulnerabilities, sophisticated persistence mechanisms, and extensive data exfiltration capabilities. Despite multiple exposures and security patches, the spyware continues to evolve, enabling its operators to infiltrate high-value targets such as politicians, journalists, and human rights defenders. Its modular design, stealth techniques, and abuse of legitimate drivers underscore the growing risks posed by commercial spyware vendors. Organizations and individuals in sensitive sectors must remain vigilant, apply security updates promptly, and adopt proactive threat-hunting measures to mitigate this evolving threat.
DevilsTongue poses a significant threat to high-profile individuals, including politicians, journalists, diplomats, academics, and activists, by compromising their privacy and security. Its modular design and stealth capabilities allow attackers to exfiltrate sensitive data such as communications, credentials, and files without detection. The spyware’s infrastructure spans multiple countries, including Hungary, Saudi Arabia, and Indonesia, highlighting its operational reach and resilience. By targeting individuals of strategic interest, DevilsTongue undermines trust, media freedom, and institutional security. Its continued activity underscores the growing risk posed by commercial spyware and the need for robust detection and mitigation measures.
https://www.recordedfuture.com/research/tracking-candirus-devilstongue-spyware
