Active infrastructure for Candiru spyware linked to Hungary, Saudi Arabia

Researchers have found new infrastructure believed to be used by the spyware manufacturer Candiru to attack computers through Windows malware.

The research, released by Recorded Future’s Insikt Group on Monday, revealed eight distinct operational clusters linked to the spyware, which is tracked as DevilsTongue. Five of them are highly likely to be active, including clusters tied to Hungary and Saudi Arabia, the report said.

“This infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators,” according to the report.

“While some clusters manage their victim-facing infrastructure directly, others do so through intermediary infrastructure layers or via the Tor network” which allows use of the dark web, the researchers said.

In addition to the active clusters associated with Hungary and Saudi Arabia, researchers found another tied to Indonesia that appeared to be active until November 2024.

Researchers were unable to determine if two additional clusters associated with Azerbaijan remain active, the report said.

DevilsTongue is the name given to the Windows spyware by Microsoft itself. There is limited public reporting on the full range of its deployment methods, according to study author Julian-Ferdinand Vögele, a senior threat researcher at Recorded Future.

However, Vögele said that leaked materials have shown it can “theoretically” be delivered through malicious links, weaponized files, man-in-the-middle attacks and physical access to a Windows device.

DevilsTongue has been deployed through both attacker-controlled URLs such as those found in spearphishing emails, Vögele said, and through strategic website compromises known as watering hole attacks, which usually take advantage of vulnerabilities in web browsers.

Insikt Group also discovered a new entity within Candiru’s corporate network that appears to have been launched around when Candiru’s assets were acquired by the U.S.-based investment fund Integrity Partners, the report said. The report identifies the new entity as “a private Israeli company named Integrity Labs Ltd.”

Researchers believe the timing suggests the separate company could have been involved in the acquisition process. 

The technology news outlet CTech reported in April that Integrity Partners had acquired Candiru’s assets for $30 million.

CTech reported that Integrity Partners then transferred Candiru’s assets and employees to a new entity thereby avoiding U.S. government sanctions.

Integrity Partners lists no media contact or any email address on its website. A partner at the firm did not immediately respond to a LinkedIn message. 

The Department of Commerce added Candiru to its Entity List in 2021. Inclusion on the list signals that a company is believed to pose a national security risk and places major restrictions on exports and other transactions.

Members of Spain’s Catalan independence campaign were targeted with Candiru spyware, according to a 2022 Citizen Lab report revealing a sprawling surveillance operation undertaken by the Spanish government.