Global Windows Users Hit by Candiru’s Powerful DevilsTongue Spyware

Cybersecurity researchers from Insikt Group have uncovered new infrastructure tied to several operational clusters linked to the Israeli spyware vendor Candiru, now operating as Saito Tech Ltd.

The discovery exposes ongoing global operations deploying DevilsTongue, a sophisticated Windows-based spyware used by government clients for targeted surveillance.

Expanding Spyware Networks

Using Recorded Future’s Network Intelligence, analysts identified eight separate infrastructure clusters used by Candiru operators.

These include both victim-facing servers that deliver and control the spyware, and higher-tier systems used for coordination or anonymization. Five clusters remain active, with strong links to operations in Hungary and Saudi Arabia.

One network linked to Indonesia operated until late 2024, while two others, associated with Azerbaijan, remain uncertain due to missing victim-facing assets.

Candiru’s infrastructure exhibits layered administration, suggesting a deliberate design to obscure control paths. Some clusters rely on intermediate servers or Tor-based routing to conceal the identities of operators.

Insikt Group also uncovered a new company, Integrity Labs Ltd., believed to be connected to Candiru’s corporate network following its 2025 acquisition by US-based investment firm Integrity Partners.

Advanced Threats and Ongoing Risks

DevilsTongue, the spyware central to these operations, is modular malware built in C and C++. It enables deep system intrusion, granting attackers access to files, browser data, and even encrypted messages from desktop applications like Signal.

According to Microsoft’s earlier analysis, the malware maintains persistence by hijacking COM, replacing legitimate registry keys with malicious DLLs, and using signed third-party drivers to access system memory covertly.

Its in-memory execution and encrypted payloads make forensic detection extremely difficult.

Candiru’s exploit delivery methods rely primarily on malicious links, weaponized Office documents, and watering hole attacks.

In previous incidents, Chrome and Internet Explorer zero-day vulnerabilities CVE-2021-21166, CVE-2021-30551, and CVE-2021-33742 were used to compromise targeted systems in Armenia and the Middle East.

More recent attacks in 2022 exploited CVE-2022-2294, a Chrome WebRTC flaw, to target journalists and news organizations in Lebanon and Yemen.

Investigators also highlighted Candiru’s possible experimentation with “ad-based infections” using a capability called Sherlock.

Developed by fellow Israeli vendor Insanet, this method distributes malicious payloads through targeted digital advertisements, potentially compromising Windows, Android, and iOS devices without direct exploitation.

Although the US government added Candiru to its Entity List in 2021, the company continues to operate under new ownership and a new structure.

Cyber experts warn that mercenary spyware poses serious privacy and national security risks, often targeting politicians, journalists, and activists.

Defenders are urged to maintain strict patching schedules, monitor for known indicators, and separate personal and work devices to reduce exposure.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Global Windows Users Hit by Candiru’s Powerful DevilsTongue Spyware appeared first on Cyber Security News.