Note: The analysis cut-off date for this report was June 26, 2025

Executive Summary

Insikt Group identified new infrastructure associated with several clusters linked to the spyware vendor Candiru. This includes both victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure. DevilsTongue is a sophisticated, modular Windows malware. The clusters vary in design and administration, with some directly managing victim-facing systems, while others use intermediaries or the Tor network. Eight distinct clusters were identified, with five being likely still active, including those linked to Hungary and Saudi Arabia. One cluster tied to Indonesia was active until November 2024, and two associated with Azerbaijan have uncertain status due to a lack of identified victim-facing infrastructure. Insikt Group also identified a company suspected to be part of Candiru’s corporate network

The use of mercenary spyware like DevilsTongue, both domestically and internationally, outside of serious crime or counterterrorism contexts, poses serious privacy, legal, and safety risks to targets, their organizations, and even the operators. Due to the high cost per deployment (based on researchers’ assessments of leaked sales information), individuals with high intelligence value, such as politicians, business leaders, and individuals in sensitive roles, are often particularly at risk. Despite regulatory and legal efforts worldwide, including the US Department of Commerce adding Candiru to its Entity List, the EU's resolution to curb spyware abuse, and the UK- and France-led Pall Mall initiative to define and regulate legitimate use, Candiru has proven resilient, pushing back by trying to get removed from the entity list, for example, and continues to pose a significant threat.

In the short term, defenders should implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices. These measures should be supported by ongoing employee security awareness training to enhance understanding of infection vectors and malware capabilities and promote a culture of minimal data exposure. In the long term, organizations should invest in thorough risk assessments to inform more nuanced and adaptive security policies.

As the mercenary spyware market grows, with new vendors, products, and more countries seeking advanced cyber capabilities, the risk of being targeted now extends beyond civil society to anyone of interest to actors with access to such tools or their equivalents. At the same time, sustained profitability, rising competition, and stronger IT defenses are fueling innovation, as evidenced by alleged ad-based infections, direct attacks on messaging servers, and enhanced persistence (1, 2, 3). These trends are driving stealthier infection chains, targeting of cloud backups, a more professionalized spyware ecosystem, and broader tool portfolios. Effective mitigation, therefore, requires continuous ecosystem monitoring, thorough risk assessment, and stronger regulatory action from policymakers.

Key Findings

• Insikt Group has identified new infrastructure linked to several operational clusters associated with Candiru, an Israeli-based spyware vendor. This infrastructure includes both victim-facing components likely used in the deployment and C2 of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.
• Using Recorded Future Network Intelligence, Insikt Group identified significant differences in infrastructure design and administrative practices across the clusters. While some clusters manage their victim-facing infrastructure directly, others do so through intermediary infrastructure layers or via the Tor network.
• Eight distinct clusters were identified. Five are assessed as highly likely to be currently active, including ones associated with Hungary and Saudi Arabia. One cluster, highly likely linked to a customer based in Indonesia, was active until November 2024, while two others, associated with Azerbaijan, remain of uncertain status.
• Insikt Group also identified a separate company suspected to be part of Candiru’s broader corporate network. This entity was established around the same time Candiru’s assets were acquired by a US-based company, suggesting it may have played a role in the acquisition process

Background

Candiru, the Company

Candiru Ltd., now operating as Saito Tech Ltd., is an Israeli company that was founded in 2014 by Eran Shorer and Yaakov Weizmann. The company's original name, Candiru, draws from a notorious parasitic fish known for its stealth and invasiveness, a metaphor for the company’s spyware capabilities. Isaac Zack, an early investor in NSO Group, was reported to be serving as Candiru’s chairman. The company reportedly secured funding from the Founders Group, an angel syndicate co-founded by Omri Lavie and Shalev Hulio, the co-founders of NSO Group. Activity linked to the company is also tracked under the alias SOURGUM by Microsoft. In this report, Insikt Group uses the name Candiru, as this is the most widely known name for the company.

Over time, Candiru has frequently relocated its offices and restructured its corporate registration to maintain operational secrecy (see Figure 1).

Court filings from a lawsuit brought by a former senior employee revealed that Candiru grew from 12 employees in 2015 to 70 by 2018. The company began securing contracts with government clients across Europe, the Middle East, Asia, and Latin America as early as 2016. That same year, it reportedly generated $10 million in revenue, which increased to $20–30 million by 2018, with an additional $367 million in pending deals involving 60 government clients. Negotiations were often conducted through local intermediaries.

In 2017, Candiru is believed to have started developing spyware for mobile devices, a development later confirmed by Israeli newspaper Haaretz, based on leaked internal documents. That same year, Candiru re-registered as DF Associates Ltd. (ד. אפ אסוסיאייטס בעיימ).

In 2018, the company rebranded to Grindavik Solutions Ltd. (גרינדוויק פתרונות בעיימ).

By 2019, Candiru was valued at approximately $90 million, following the sale of a 10% equity stake by venture capitalist Eli Wartman to Universal Motors Israel (UMI). Reports also suggest investment from the Qatari sovereign wealth fund. That same year, Vice News reported that Kaspersky Lab had identified Candiru spyware in use by the Uzbekistan State Security Service (SSS). The SSS had reportedly used Kaspersky antivirus software to test the spyware's stealth and had configured an official government domain ("itt[.]uz") for its C2 communications. This leak led to the identification of other Candiru clients, including Saudi Arabia and the United Arab Emirates (UAE). The company renamed itself to Taveta Ltd. (טאבטה בעיימ) in 2019 as well.

In 2020, the company created a subsidiary named Sokoto. That same year, Candiru’s board included founders Shorer and Weizmann, chairman Isaac Zack, and a representative from Universal Motors Israel. Candiru also changed its name to Saito Tech Ltd. (סאייטו טק בעיימ).

By 2021, company filings listed Universal Motors Israel, ESOP Management and Trust Services Ltd. (which manages employee stock ownership programs), and Optas Industry Ltd. (a proxy for the Qatari fund) as minority shareholders.

In April 2021, cybersecurity firm ESET uncovered an espionage operation using Candiru spyware in a watering hole attack targeting the UK news outlet Middle East Eye, news outlets associated with the Houthis and Hezbollah, and a likely dissident media outlet in Saudi Arabia. Additional victims included the websites of an Iranian embassy, Italian and South African aerospace firms, and Syrian and Yemeni government websites.

In July 2021, Citizen Lab and Microsoft revealed that Candiru’s spyware had been widely deployed by multiple government clients, compromising at least 100 victims globally. The targets included politicians, human rights defenders, journalists, academics, embassy staff, and political dissidents. Microsoft reported that approximately half of the victims it observed were located in Palestine. The remaining victims were in Israel, Iran, Lebanon, Yemen, Spain (Catalonia), the United Kingdom, Türkiye, Armenia, and Singapore. The spyware's infrastructure was traced to several countries, including Saudi Arabia, Israel, the UAE, Hungary, and Indonesia. The domains used by Candiru also give a hint to the targets. Domains spoofed international media, advocacy organizations (including Black Lives Matter, Amnesty International, and Refugees International), gender studies events (including a conference on the topic), and international organizations (including the Office of the Special Envoy of the Secretary-General for Yemen, the UN, and the WHO).

In November 2021, the US Department of Commerce added both Candiru and NSO Group to its Entity List, citing their role in supplying spyware to foreign governments engaged in malicious activities.

In April 2022, Citizen Lab reported that members of the Catalan independence movement had been targeted with Candiru spyware as part of a domestic surveillance operation authorized by the Spanish government (see Figure 2). The campaign reportedly included surveillance of elected officials and political activists. Candiru specifically was used to target four Catalans working in the open-source and digital voting communities. One Catalan technologist, Elies Campo, was sent an email with a link that, if clicked, would have led to a Candiru infection while he resided in the US and had a US SIM card in his device. Additionally, Citizen Lab reported on suspected targeting of Saudi Arabian social media users.

Suspected New Company After Acquisition

In April 2025, the technology news outlet CTech reported that Candiru had been acquired several months earlier by Integrity Partners in a $30 million deal. Notably, Integrity Partners, an American investment firm whose partners include Elad Yoran (brother of Amit Yoran, former CEO of Tenable), had also previously placed a bid to acquire Pegasus spyware developer NSO Group.

The reporting indicates that Integrity Partners acquired Candiru’s assets and transferred them, along with all company employees, to a newly established entity not currently subject to US government sanctions. By the time of the report, the first phase of the agreement had already been completed, involving the transition of employees to the new entity for $10 million. The second phase, which entails the transfer of Candiru’s export licenses, will be finalized once the necessary approvals are secured.

Notably, WHOIS records associated with Nerfwall, an alias linked to Candiru, led Insikt Group to identify the domain integrity-labs[.]ltd, registered on March 31, 2025. In this context, Insikt Group also identified a private Israeli company named Integrity Labs Ltd (אינטגריטי לאבס בע~מ), incorporated on December 18, 2024, under company number 517081089 and based in Herzliya, Israel. The company is directed by Naftali Yoran based on corporate report records attained by Recorded Future. Open-source reporting indicates that Elad Yoran is also known as Naftali Yoran.

Licensing Model

A leaked Candiru project proposal published by TheMarker, an Israeli news outlet, suggests that, similar to other spyware vendors like Intellexa, Candiru licenses its spyware according to the number of concurrent infections, which refers to the number of targets that can be actively monitored at any given moment. For example, one €16 million proposal allows for unlimited infection attempts but limits monitoring to ten devices simultaneously. Customers can expand this capacity: for an additional €1.5 million, they can monitor fifteen more devices and gain authorization to target one additional country; for €5.5 million, they can monitor 25 more devices and operate in five additional countries (see Figure 3). Another €1.5 million upgrade offers a remote shell capability, granting full command-line access to infected devices, raising particular concern due to its potential use for uploading files or planting incriminating content.

The leaked proposal further states that the product is intended to operate solely within “agreed upon territories,” explicitly listing the US, Russia, China, Israel, and Iran as restricted countries. Despite these limitations, Microsoft has identified Candiru victims in Iran and Israel, indicating that the spyware may, in certain cases, be deployed beyond its officially sanctioned regions. Corroborating this, the targeting infrastructure analyzed in Citizen Lab’s report from 2021 includes domains impersonating the Russian postal service. That report also details the targeting of a Catalan technologist while he was living in the US, as mentioned above.

DevilsTongue

DevilsTongue, the name given by Microsoft to the Windows-based spyware developed by Candiru, is a complex, modular, multi-threaded malware written in C and C++ with a wide range of capabilities. Most of what is known about DevilsTongue stems from Microsoft's analysis and a leaked Candiru project proposal published by TheMarker. However, given the extensive list of suspected components and features, and the age of both reports, Insikt Group assesses that the malware's capabilities have likely evolved since then.

The leaked documents reveal that Candiru’s spyware was designed for deep access to victim devices, enabling file extraction, browser data collection, and even the theft of encrypted messages from the Signal Messenger desktop app. Figure 4 presents an excerpt from the leaked Candiru project proposal outlining the spyware’s Windows-specific capabilities.

According to Microsoft’s detailed analysis, DevilsTongue is a stealthy malware with both user- and kernel-mode components. It maintains persistence via COM hijacking by overwriting a legitimate COM class registry key’s DLL path with a first-stage DLL dropped in C:\Windows\system32\IME\, and it stores encrypted second-stage payloads in the configuration directory. A signed third-party driver (physmem.sys) enables kernel-level memory access and API call proxying to avoid detection. To preserve system stability, DevilsTongue reinjects the original COM DLL during hijacking, disguising this action through shellcode manipulation of the LoadLibraryExW return value. All additional payloads are decrypted and executed only in memory, allowing the malware to steal credentials from LSASS and browsers, access Signal messages, and use browser cookies to impersonate victims on platforms like Facebook, Gmail, and VK. The malware’s use of scrubbed metadata, encryption, and unique hashes for each file further complicates detection and analysis.

Overlap with CHAINSHOT

CHAINSHOT is an exploit kit that has previously been associated with Candiru. It has been observed in use by threat actor groups such as Stealth Falcon and SandCat, the latter believed to be linked to the Uzbek government. SandCat drew significant attention in 2019 due to a series of operational security errors that not only exposed multiple zero-day vulnerabilities but also enabled direct attribution to Uzbekistan’s State Security Service (SSS). Notably, another threat actor known as PuzzleMaker has also been mentioned in connection with CHAINSHOT, due to the use of a rare but likely not exclusively used technique. Although the connection between CHAINSHOT and Candiru was initially circumstantial, researchers at Citizen Lab later established a clearer link. They identified a shared fingerprint, including a matching IP address, that tied CHAINSHOT’s final spyware delivery URL to infrastructure documented in a 2018 report by Palo Alto Networks, thereby reinforcing the association between CHAINSHOT and Candiru.

Initial Access Vectors

According to the leaked materials discussed above, Candiru’s spyware can be deployed through multiple vectors, including malicious links, weaponized files, man-in-the-middle (MitM) attacks, and physical access. However, based on Insikt Group’s current knowledge, public reporting has only confirmed the use of the first two vectors in documented cases involving Candiru-related infections, although it is highly likely that the other vectors have also been employed. When it comes to malicious links, Candiru has used both actor-controlled links, such as spearphishing emails and strategic website compromises known as watering hole attacks, to deliver its spyware, with infections typically involving exploits that target web browsers (1, 2).

For instance, Google’s Threat Analysis Group (TAG) disclosed in 2021 that two Google Chrome renderer remote code execution zero-day vulnerabilities (CVE-2021-21166 and CVE-2021-30551) had been exploited by Candiru. These exploits were distributed via single-use links sent to specific targets, who were believed to be located in Armenia. The links directed recipients to attacker-controlled domains impersonating legitimate websites relevant to the victims’ interests. Google TAG discovered that CVE-2021-21166 also affected WebKit, prompting Apple to patch it as CVE-2021-1844; however, there is no evidence it was used against Safari users.

In April 2021, Google TAG identified a campaign targeting Armenian users with malicious Office documents that loaded web content through Internet Explorer. This was achieved either by embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by launching an Internet Explorer process via VBA macros to navigate to a web page. Following a fingerprinting phase, targets were served an Internet Explorer zero-day exploit, later assigned CVE-2021-33742 and patched by Microsoft in June 2021. TAG’s analysis indicates that the Internet Explorer exploits were developed and supplied by the same entity responsible for the previously mentioned Google Chrome exploits.

In July 2022, Avast reported that CVE-2022-2294, a high-severity heap buffer overflow vulnerability in WebRTC within Google Chrome, was exploited to execute shellcode in the browser’s renderer process, targeting users in the Middle East. The exploit, designed specifically for Windows, was likely combined with a sandbox escape, though the second-stage exploit could not be recovered. In Lebanon, the attackers compromised a website used by employees of a news agency, which contained signs of persistent cross-site scripting (XSS) attacks, likely as part of their testing phase, before ultimately injecting malicious JavaScript from an attacker-controlled domain. This injected code selectively redirected intended victims through a chain of attacker-controlled domains to the exploit server. Prior to Avast’s report, ESET had reported on strategic web compromises across the Middle East, with a strong focus on Yemen, that they attributed to Candiru with medium confidence.

Beyond the previously mentioned vectors, reports from 2023 indicate that Candiru also possessed a capability known as Sherlock. Sherlock is a commercial surveillance capability developed by the Israeli software maker Insanet that is capable of infecting devices running Windows, Android, and iOS. Unlike traditional spyware that exploits software vulnerabilities, Sherlock leverages programmatic advertising to deliver its payload. By placing malicious ads through ad exchanges, it can target specific individuals based on demographics and location, leading to the covert installation of spyware when the ad is displayed on a user's device.

To read the entire analysis, click here to download the report as a PDF.