Listen to this Post
Cybersecurity researchers have unveiled alarming new details about Candiru, the Israeli spyware company now operating as Saito Tech Ltd., revealing an expansive network of surveillance operations targeting individuals worldwide. At the heart of these operations is DevilsTongue, a sophisticated Windows-based spyware capable of infiltrating personal and corporate systems, collecting sensitive data, and remaining virtually undetectable. The revelations highlight ongoing risks posed by mercenary spyware firms and their global clients, from governments to intelligence agencies.
Expanding Spyware Networks
Using advanced tools like Recorded Future’s Network Intelligence, analysts at Insikt Group discovered eight separate infrastructure clusters linked to Candiru. These clusters serve multiple functions: some interact directly with victims to deliver and control spyware, while others handle higher-tier operations like coordination and anonymization. Currently, five of these clusters remain active, showing strong operational links to Hungary and Saudi Arabia.
One network connected to Indonesia operated until late 2024, while two clusters associated with Azerbaijan have unclear status due to missing victim-facing assets. The infrastructure itself is layered and meticulously designed to obscure control paths, often routing traffic through intermediate servers or Tor networks to mask operator identities.
Insikt Group also uncovered a new corporate entity, Integrity Labs Ltd., likely tied to Candiru after its 2025 acquisition by US-based investment firm Integrity Partners. This acquisition suggests that Candiru’s global operations are evolving, potentially expanding its reach and capabilities.
Advanced Threats and Malware Capabilities
DevilsTongue is a modular spyware built in C and C++, capable of deep system intrusion. It can access files, browser history, and encrypted messages from applications like Signal. Microsoft’s analysis confirms its persistence techniques: hijacking COM components, replacing legitimate registry keys with malicious DLLs, and exploiting signed third-party drivers to access system memory stealthily.
Its in-memory execution and encrypted payloads make detection exceptionally difficult, while the delivery methods include malicious links, weaponized Office documents, and watering hole attacks. Historical exploitation events reveal Candiru’s use of zero-day vulnerabilities such as CVE-2021-21166, CVE-2021-30551, and CVE-2021-33742 to compromise systems in Armenia and the Middle East. More recent attacks in Lebanon and Yemen leveraged CVE-2022-2294, targeting journalists and news organizations via Chrome WebRTC flaws.
Candiru is also experimenting with “ad-based infections” using a capability called Sherlock, developed by Israeli vendor Insanet. This method delivers malware through targeted digital ads, potentially infecting Windows, Android, and iOS devices without direct exploitation. Despite being added to the US Entity List in 2021, Candiru continues its operations under new ownership and structures, raising serious privacy and national security concerns.
What Undercode Say:
Candiru’s persistent activity demonstrates how mercenary spyware operations are evolving into highly sophisticated global networks. The layered infrastructure design and Tor-based routing reveal a deliberate approach to evade detection, making it challenging for cybersecurity teams to map attack paths fully. The adoption of ad-based infection strategies via Sherlock indicates a shift toward less conspicuous distribution methods, allowing broader targeting without the need for traditional exploits.
Governments, journalists, and activists remain primary targets, underscoring the geopolitical nature of these threats. The use of zero-day vulnerabilities highlights the importance of rapid patching and proactive threat intelligence. Organizations must adopt strict segmentation between personal and work devices, enhance endpoint monitoring, and implement behavior-based detection strategies, as conventional signature-based detection is increasingly insufficient.
The corporate restructuring under Integrity Labs Ltd. could signify a new phase of expansion, blending commercial investment with persistent espionage capabilities. Analysts should monitor emerging campaigns for signs of cross-platform malware deployment, especially given the demonstrated potential to exploit Windows, Android, and iOS systems simultaneously.
From a cybersecurity perspective, Candiru represents a broader challenge posed by mercenary spyware: operations that are technically advanced, legally opaque, and difficult to attribute. Global cooperation, intelligence sharing, and improved legislative frameworks are critical to counter such threats. Public awareness is equally essential, as these attacks often exploit human behavior—malicious links, phishing emails, and targeted digital advertisements—to gain access.
Fact Checker Results:
✅ Candiru operates under the name Saito Tech Ltd.
✅ DevilsTongue targets Windows systems and exploits zero-day vulnerabilities.
❌ There is no evidence that Candiru has ceased operations after US Entity List restrictions.
Prediction:
📊 The evolution of ad-based malware campaigns like Sherlock could significantly expand Candiru’s reach over the next two years, targeting multiple platforms simultaneously. Governments may accelerate investments in threat intelligence to counter mercenary spyware, while organizations will need enhanced segmentation and AI-based detection tools to protect sensitive data. Increased global scrutiny could also lead to regulatory measures targeting spyware vendors and their financial backers.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://stackoverflow.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
