Candiru, an Israeli-based spyware vendor, has deployed sophisticated malware infrastructure across multiple countries to target high-value individuals including politicians, journalists, and business leaders.
The mercenary spyware, known as DevilsTongue, represents a growing threat to Windows users globally, with eight distinct operational clusters identified across Hungary, Saudi Arabia, Indonesia, and Azerbaijan.
This modular Windows malware combines advanced evasion techniques with extensive surveillance capabilities, making it one of the most dangerous cyber threats operating today.
DevilsTongue has emerged as a particularly concerning weapon in the mercenary spyware market, capitalizing on both advanced exploitation techniques and sophisticated persistence mechanisms.
The malware operates through multiple infection vectors, leveraging zero-day vulnerabilities in web browsers and weaponized documents to compromise target systems.
What makes this spyware distinctive is its ability to operate covertly once installed, stealing sensitive information while remaining virtually undetectable to standard security tools.
Recorded Future security analysts identified new infrastructure linked to Candiru’s operational clusters, revealing significant differences in how various groups manage their victim-facing systems.
Some clusters operate directly, while others route commands through intermediary layers or the Tor network, adding layers of complexity to defensive efforts.
The discovery highlights how Candiru continues adapting its operational security even after facing international sanctions from the US Department of Commerce in November 2021.
The licensing model for DevilsTongue underscores the commercial nature of this threat. According to leaked project proposals, Candiru charges based on concurrent infections, allowing customers to monitor multiple devices simultaneously.
A base contract starting at €16 million permits unlimited infection attempts with ten concurrent devices monitored, while additional fees unlock expanded capacity and geographic coverage across different countries.
.webp "Candiru’s DevilsTongue Spyware Attacking Windows Users in Multiple Countries 3")
This pricing structure attracts government clients with substantial budgets seeking persistent surveillance capabilities.
Technical Persistence and Evasion Mechanisms
DevilsTongue employs sophisticated techniques to maintain persistence and evade detection on infected Windows systems.
The malware utilizes COM hijacking by overwriting legitimate COM class registry keys, directing them toward a first-stage DLL located in C:Windowssystem32IME.
This approach cleverly disguises the malware within legitimate system directories. A signed third-party driver called physmem.sys enables kernel-level memory access, allowing the malware to proxy API calls and avoid detection mechanisms.
During the hijacking process, DevilsTongue reinstates the original COM DLL through shellcode manipulation of the LoadLibraryExW return value, maintaining system stability to prevent triggering security alerts.
All additional payloads remain encrypted and execute exclusively in memory, preventing forensic recovery.
This design allows the malware to extract credentials from LSASS, browsers, and messaging applications like Signal Messenger before covering its tracks through metadata scrubbing and unique file hashing.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
