DevilsTongue Spyware Attacking Windows System, Linked to Saudi Arabia, Hungary
Cybersecurity experts have discovered a new infrastructure suspected to be used by spyware company Candiru to target computers via Windows malware.
DevilsTongue spyware targets Windows systems
The research by Recorded Future’s Insikt Group disclosed eight different operational clusters associated with the spyware, which is termed as DevilsTongue. Five are highly active, including clusters linked to Hungary and Saudi Arabia.
About Candiru’ spyware
According to the report, the “infrastructure includes both victim-facing components likely used in the deployment and [command and control] of Candiru’s DevilsTongue spyware, and higher-tier infrastructure used by the spyware operators.” While a few clusters directly handle their victim-facing infrastructure, others follow an intermediary infrastructure layers approach or through the Tor network, which allows threat actors to use the dark web.
Additionally, experts discovered another cluster linked to Indonesia that seemed to be active until November 2024. Experts couldn’t assess whether the two extra clusters linked with Azerbaijan are still active.
Mode of operation
Mercenary spyware such as DevilsTongue is infamous worldwide, known for use in serious crimes and counterterrorism operations. However, it also poses various legal, privacy, and safety risks to targets, their companies, and even the reporter, according to Recorded Future.
Windows itself has termed the spyware Devil's Tongue. There is not much reporting on its deployment techniques, but the leaked materials suggest it can be delivered via malicious links, man-in-the-middle attacks, physical access to a Windows device, and weaponized files. DevilsTongue has been installed via both threat actor-controlled URLs that are found in spearphishing emails and via strategic website attacks known as ‘watering hole,’ which exploit bugs in the web browser.
Insikt Group has also found a new agent inside Candiru’s network that is suspected to have been released during the time when Candiru’s assets were acquired by Integrity Partners, a US-based investment fund. Experts believe that a different company might have been involved in the acquisition.
How to stay safe?
In the short term, experts from Recorded Future advise defenders to “implement security best practices, including regular software updates, hunting for known indicators, pre-travel security briefings, and strict separation of personal and corporate devices.” In the long term, organizations are advised to invest in robust risk assessments to create effective policies.
