Tracking DevilsTongue Spyware in Multiple Countries

SUMMARY :

The report details the activities of Candiru, an Israeli spyware vendor, and its DevilsTongue malware. Eight infrastructure clusters were identified, with five likely active, including those linked to Hungary and Saudi Arabia. DevilsTongue is a sophisticated Windows spyware used for surveillance. The company has faced regulatory challenges but remains resilient. The mercenary spyware market is growing, extending risks beyond civil society. Effective mitigation requires continuous monitoring, risk assessment, and stronger regulations. The report also covers Candiru's corporate history, licensing model, and infection vectors, including zero-day exploits and strategic website compromises.

OPENCTI LABELS :

spyware,saudi arabia,zero-day,infrastructure,surveillance,israel,hungary,cve-2021-30551,cve-2021-1844,mercenary,cve-2021-21166,chainshot,cve-2022-2294,devilstongue,cve-2021-33742


AI COMMENTARY :

Tracking DevilsTongue Spyware in Multiple Countries 1. Introduction to Candiru and DevilsTongue Candiru, an Israeli spyware vendor, has developed DevilsTongue, a sophisticated Windows spyware platform designed for covert surveillance. Originally revealed through investigative journalism and threat intelligence research, DevilsTongue enables remote operators to exfiltrate files, record audio, capture screenshots, and log keystrokes. Its modular architecture and resilience against detection have made it a preferred tool for state-sponsored actors and private clients alike.

2. Infrastructure Clusters and Geographical Spread Researchers have identified eight distinct infrastructure clusters supporting DevilsTongue, with at least five likely still active. These clusters include servers linked to Hungary and Saudi Arabia, reflecting a strategic deployment across multiple regions. Each cluster uses unique domain names, TLS certificates, and hosting providers to avoid attribution. The infrastructure demonstrates Candiru’s expertise in operational security and its ability to maintain long-term surveillance campaigns without interruption.

3. Exploitation Vectors and Zero-Day Vulnerabilities DevilsTongue operators leverage a variety of infection vectors, including zero-day exploits and strategic website compromises. Notable vulnerabilities targeted in recent campaigns include CVE-2021-30551 in Telegram, CVE-2021-1844 in Microsoft Exchange, CVE-2021-21166 in Internet Explorer, CVE-2021-33742 in Windows Print Spooler, and CVE-2022-2294 in VMware. In some cases, attackers deploy chainshot techniques to deliver payloads through malicious documents. This combination of high-severity flaws and innovative delivery methods highlights the advanced capabilities of mercenary spyware providers.

4. Candiru’s Corporate History and Regulatory Challenges Founded in Israel, Candiru has operated under the radar of most commercial anti-malware vendors. Its licensing model allows clients to tailor surveillance packages according to region and target profile. Despite facing regulatory scrutiny and export restrictions in recent years, Candiru has demonstrated remarkable resilience. The company continues to secure contracts by emphasizing cutting-edge zero-day exploits and hardened infrastructure that withstand takedown attempts.

5. The Growing Mercenary Spyware Market and Civil Society Risks The mercenary spyware market has expanded beyond traditional intelligence agencies, encompassing private companies offering bespoke surveillance services. This trend poses significant risks to journalists, activists, and dissidents worldwide. The deployment of DevilsTongue in diverse regions underscores how commercial spyware can be repurposed for political repression. Civil society groups must remain vigilant as the boundary between state and private surveillance continues to blur.

6. Mitigation Strategies and the Path Forward Effective defense against DevilsTongue and similar threats requires continuous monitoring of network traffic and anomalies. Risk assessments should prioritize endpoints susceptible to zero-day exploitation, especially those running unpatched Windows services. Organizations can strengthen their posture by implementing multi-factor authentication, regular patch cycles, and threat hunting programs focused on identifying chainshot activity. Coordination between private sector researchers and regulatory bodies is essential to curb the proliferation of mercenary spyware.

7. Conclusion Tracking DevilsTongue across multiple countries offers critical insights into the capabilities of modern mercenary spyware. Understanding the infrastructure clusters, zero-day exploits, and Candiru’s business model equips defenders to anticipate and disrupt future campaigns. As the surveillance landscape evolves, collaboration among security researchers, policymakers, and civil society will be vital in ensuring that robust regulations and technical safeguards keep pace with emerging threats.




OPEN NETMANAGEIT OPENCTI REPORT LINK!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Tracking DevilsTongue Spyware in Multiple Countries