Sophisticated DevilsTongue Spyware Tracks Windows Users Worldwide

Insikt Group has uncovered new infrastructure tied to the Israeli spyware vendor Candiru, now operating under Saito Tech Ltd., highlighting the persistent deployment of its advanced DevilsTongue malware.

Utilizing Recorded Future Network Intelligence, researchers identified eight distinct operational clusters, each exhibiting variations in infrastructure design and administration.

These include victim-facing components for deploying and commanding the spyware, alongside higher-tier operator systems.

Some clusters directly manage victim interfaces, while others employ intermediary layers or leverage the Tor network for enhanced obfuscation.

Active Clusters and Corporate Shifts

Five clusters are assessed as highly active, with connections to entities in Hungary and Saudi Arabia.

An additional cluster linked to Indonesia remained operational until November 2024, and two associated with Azerbaijan show uncertain status due to unconfirmed victim-facing elements.

This discovery underscores Candiru’s resilience despite international sanctions, including its 2021 addition to the US Department of Commerce’s Entity List, and ongoing efforts to evade regulatory pressures through corporate restructuring.

DevilsTongue, a modular Windows malware developed in C and C++, features sophisticated persistence mechanisms such as COM hijacking, where it overwrites legitimate DLL paths in the registry to inject payloads from disguised directories like C:Windowssystem32IME.

It incorporates kernel-mode drivers for memory access and API proxying, ensuring stealth by reinjecting original DLLs and executing decrypted payloads in memory only.

Capabilities extend to credential theft from LSASS and browsers, extraction of encrypted Signal messages, and cookie-based impersonation on platforms like Gmail and Facebook.

Overlaps with exploit kits like CHAINSHOT, which exploits zero-days in browsers such as Chrome (e.g., CVE-2021-21166, CVE-2021-30551, and CVE-2022-2294), facilitate initial access via spearphishing links, watering-hole attacks, and potentially ad-based vectors like the Sherlock capability, which hijacks programmatic advertising for cross-platform infections on Windows, Android, and iOS.

Background on Candiru’s Evolution

Founded in 2014 by Eran Shorer and Yaakov Weizmann, Candiru has undergone multiple rebrandings from DF Associates Ltd. to Grindavik Solutions, Taveta Ltd., and finally Saito Tech Ltd. to maintain operational secrecy amid growing scrutiny.

Backed by investors linked to NSO Group, the firm has secured multimillion-dollar contracts with governments in Europe, the Middle East, Asia, and Latin America, licensing Devil’s Tongue based on concurrent infections, with pricing tiers allowing expansions for additional devices and geographic targets.

Leaked proposals reveal restrictions against use in countries like the US, Russia, China, Israel, and Iran, yet evidence shows deployments in these regions, including targeting Catalan activists and Armenian users via zero-day exploits.

A suspected acquisition in early 2025 by US-based Integrity Partners transferred Candiru’s assets to a new entity, Integrity Labs Ltd., potentially bypassing sanctions.

This move aligns with broader trends in the mercenary spyware market, where vendors innovate with stealthier chains, cloud backup targeting, and professionalized ecosystems.

Victims often include high-value individuals like politicians and journalists, compromised through malicious links, weaponized documents, or MitM attacks.

According to the report, The proliferation of such tools extends risks beyond civil society, driven by high deployment costs and evolving tactics like ad-based infections and server-side attacks.

Short-term defenses include rigorous software patching, indicator hunting, device separation, and security training to counter vectors.

Long-term strategies demand adaptive risk assessments and ecosystem monitoring. Despite initiatives like the EU’s spyware curbs and the Pall Mall process, Candiru’s adaptability poses ongoing threats, urging stronger global regulations to mitigate privacy and safety risks.

The Ultimate SOC-as-a-Service Pricing Guide for 2025– Download for Free