Full Report
Recorded Future's Insikt Group uncovers active infrastructure linked to Candiru’s DevilsTongue spyware across multiple countries. Discover how this stealthy spyware targets high-value individuals and evades detection.
Analysis Summary
# Threat Actor: Candiru (Saito Tech Ltd.)
## Attribution & Identity
- **Identification:** Israeli adversary.
- **Aliases/Corporate Identity:** Formerly known as Candiru Ltd., currently operating as Saito Tech Ltd.
- **Known Associations:** Associated with the spyware **DevilsTongue**. Early investor Isaac Zack, also involved with NSO Group, was reported to be chairman. Insikt Group identified a separate company suspected to be part of Candiru’s broader corporate network, established around the time Candiru's assets were acquired by a US-based company.
## Activity Summary
Insikt Group identified new infrastructure linked to several operational clusters associated with Candiru used for deploying and controlling the DevilsTongue spyware.
- **Operational Structure:** Eight distinct clusters were identified. Five are assessed as highly likely active, including those linked to Hungary and Saudi Arabia.
- **Historical Activity:** One cluster linked to Indonesia was active until November 2024. Two clusters associated with Azerbaijan have an uncertain status.
- **Prior Campaigns:** Linked to weaponized Google Chrome exploits (CVE-2022-2294, a heap buffer overflow in WebRTC) targeting users in the Middle East in July 2022. Previously linked with medium confidence by ESET to strategic web compromises focused on Yemen. Also mentioned as possessing or utilizing the **Sherlock** surveillance capability.
## Tactics, Techniques & Procedures
- **Malware:** DevilsTongue (sophisticated, modular Windows spyware).
- **Infection Vectors:** Exploitation of zero-day vulnerabilities (e.g., CVE-2022-2294 in Google Chrome WebRTC), strategic web compromises involving XSS to inject malicious JavaScript, and potentially infection via programmatic advertising (related to the Sherlock capability).
- **Infrastructure:** Utilizes varied infrastructure designs, including direct management of victim-facing systems, intermediary layers, and the Tor network.
- **Specific Exploits:** Used an exploit targeting Chrome in the Middle East, likely involving a sandbox escape. In Lebanon, compromised a news agency’s employee website, using injected malicious JavaScript to redirect victims to an exploit server.
- **Advanced Capabilities:** Allegedly possesses **Sherlock**, a surveillance capability leveraging programmatic advertising (ad exchanges) to target specific individuals based on demographics and location for covert spyware installation, bypassing traditional software vulnerability exploits.
- **Persistence/Innovation:** Trends suggest driving towards stealthier infection chains, targeting cloud backups, and enhanced persistence.
## Targeting
- **Sectors:** Individuals with high intelligence value, such as politicians, business leaders, and individuals in sensitive roles. The general risk extends to anyone of interest to actors possessing such tools. Targeted sectors include news/media (Lebanon incident).
- **Geography:** Active clusters linked to **Hungary** and **Saudi Arabia**. Previous activity noted in the **Middle East** and **Yemen**. An Indonesian customer-linked cluster was active.
- **Victims:** Individuals with high intelligence value; Employees of a news agency in Lebanon.
## Tools & Infrastructure
- **Malware families used:** DevilsTongue, Sherlock.
- **Infrastructure (C2, domains, IPs):** New infrastructure identified includes victim-facing components and higher-tier operator infrastructure. Clusters use intermediary layers or the Tor network for command and control.
## Implications
The use of mercenary spyware like DevilsTongue poses serious privacy, legal, and safety risks globally, especially outside serious crime or counterterrorism contexts. Despite being blacklisted (Candiru added to the US Department of Commerce Entity List), the vendor has proven resilient, attempting to reverse this status. The growing mercenary spyware market indicates that the risk of targeting now extends broadly beyond typical cybersecurity concerns to any individual deemed of interest by government entities purchasing these tools.
## Mitigations
- **Short Term:** Implement security best practices, including regular software updates, active hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices. Enhance employee security awareness training regarding infection vectors and malware capabilities.
- **Long Term:** Invest in thorough risk assessments to inform more nuanced and adaptive security policies. Continuous ecosystem monitoring and stronger regulatory action from policymakers are necessary.