Israeli surveillance firm Candiru used Windows zero-days to deploy spyware

Pierluigi Paganini July 15, 2021

Experts said that Israeli surveillance firm Candiru, tracked as Sourgum, exploited zero-days to deliver a new Windows spyware.

Microsoft and Citizen Lab believe that the secretive Israel-based Israeli surveillance firm Candiru, tracked as Sourgum, used Windows zero-day exploits to deliver a new Windows spyware dubbed DevilsTongue.

According to the experts, at least 100 activists, journalists and government dissidents across 10 countries were targeted with Candiru’s spyware.

“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments. We take this threat seriously and have disrupted the use of certain cyberweapons manufactured and sold by a group we call Sourgum.” reads the post published by Microsoft. “The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers and political dissidents.”

Candiru sells surveillance software exclusively to governments, its spyware could spy on iPhones, Androids, Macs, PCs, and cloud accounts.

“Working with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the discovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation vulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.” reads the report published by Citizen Lab.

“As part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon, Yemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders, dissidents, journalists, activists, and politicians.”

According to TheMarker, Candiru’s spyware can be deployed through different vectors, including malicious links, man-in-the-middle attacks, and physical attacks. The firm also offers an infection vector named “Sherlock” that works on Windows, iOS, and Android. Citizen Labs experts believe that Sherlock may be a browser-based zero-click vector.


While investigating some attacks, Citizen Labs spotted the presence of malware that exploited CVE-2021-31979 and CVE-2021-33771 zero-day vulnerabilities. Both issues were fixed by Microsoft with the release of July Patch Tuesday security updates.

Using Internet scanning, researchers identified more than 750 websites belonging to Candiru’s spyware infrastructure. The company used domains masquerading as advocacy organizations such as Amnesty International, the Black Lives Matter movement, as well as media companies, and other civil-society-themed entities.

DevilsTongue allows operators to spy on the victims, collect sensitive data, decrypt and steal Signal messages on Windows devices, steal info for major web browsers. 

DevilsTongue spyware could send messages from logged-in email and social media accounts using the infected system. Operators could use this feature to send malicious messages to the victim’s contacts.

“Candiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse. This case demonstrates, yet again, that in the absence of any international safeguards or strong government export controls, spyware vendors will sell to government clients who will routinely abuse their services. Many governments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their domestic and foreign security agencies.” concludes Citizen Labs.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Sourgum)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment