Sophisticated DevilsTongue Windows Spyware Tracking Users Globally
The emergence of DevilsTongue marks a significant escalation in mercenary spyware capabilities, leveraging advanced Windows-based techniques to infiltrate high-value targets worldwide.
First observed in campaigns dating back to 2019, this modular malware aggressively exploits zero-day browser vulnerabilities and weaponized documents to gain initial access.
Once deployed, it establishes a stealthy presence, exfiltrating sensitive data from corporate and personal environments alike.
Recorded Future researchers identified new victim-facing and operator-tier infrastructure in multiple countries, underscoring both the global scale of operations and the diversity of administrative practices across clusters.
DevilsTongue’s attack vectors include spearphishing with malicious links, strategic watering hole compromises, and booby-trapped Office documents.
Google’s Threat Analysis Group observed exploits targeting Chrome and Internet Explorer in 2021, specifically CVE-2021-21166 and CVE-2021-33742, delivering DevilsTongue payloads via single-use URLs and embedded ActiveX objects.
Following initial compromise, the malware leverages a signed driver (physmem.sys) to achieve kernel-level memory access, enabling advanced in-memory payload execution without writing to disk.
Recorded Future analysts noted that these techniques allow DevilsTongue to evade traditional signature-based detection, maintaining under-the-radar persistence on victim devices.
The global impact of DevilsTongue has been profound. Government clients across Europe, the Middle East, and Asia have deployed the spyware against politicians, journalists, and dissidents.
Citizen Lab and Microsoft reported over 100 victims spanning Palestine, Türkiye, and Spain, among others.
Targeting infrastructure has been traced to entities in Saudi Arabia, Hungary, and Indonesia, with some clusters still active as of mid-2025.
.webp)
The high cost of deployment—estimated at millions of euros—limits usage to high-value targets, yet the consequences for personal privacy and national security are indisputable.
.webp)
Among the distinguishing features of DevilsTongue is its sophisticated persistence mechanism. Upon execution, the first-stage DLL is dropped into the system directory and a legitimate COM class registry key is hijacked to load this malicious library.
The malware reinjects the original COM DLL to preserve system stability, while its own code runs covertly in memory. Persistence is further bolstered by encrypted configuration storage and dynamic hashing of payload components, impeding forensic analysis.
Infection Mechanism
DevilsTongue’s infection mechanism centers on multi-stage exploitation and stealthy payload delivery.
Initially, a tailored phishing email directs the target to a malicious domain impersonating legitimate services.
A browser exploit chain triggers remote code execution, dropping a loader that retrieves an encrypted second-stage payload.
.webp)
This loader employs a signed driver, physmem.sys, to map the payload into memory with kernel privileges.
The code snippet below illustrates how the malware hijacks a COM class registry entry to achieve persistence:-
// COM hijacking registry modification
HKEY hKey;
RegOpenKeyExW(HKEY_CLASSES_ROOT, L"CLSID\{00000000-0000-0000-C000-000000000046}\InprocServer32", 0, KEY_SET_VALUE, &hKey);
RegSetValueExW(hKey, NULL, 0, REG_SZ, (BYTE*)L"C:\Windows\system32\IME\stage1.dll", sizeof(L"C:\Windows\system32\IME\stage1.dll"));
RegCloseKey(hKey);
This tactic ensures that whenever the COM class is instantiated by a legitimate application, the malicious DLL is loaded first, granting DevilsTongue full control.
Subsequent modules decrypt and execute only in memory, leaving minimal forensic artifacts on disk.
Such layered execution highlights the depth of sophistication in DevilsTongue’s design and its continued evolution against modern defenses.
Equip your SOC with full access to the latest threat data from ANY.RUN TI Lookup that can Improve incident response -> Get 14-day Free Trial
Source link