The Candiru Files: New Infrastructure Exposes Stealthy Surveillance Clusters in Hungary, Saudi Arabia, and Indonesia
Ddos 
Network diagram of Cluster 1 | Source: Recorded Future
In a reminder of the persistent threat posed by commercial spyware vendors, Insikt Group has uncovered new operational infrastructure tied to Candiru—the shadowy Israeli mercenary spyware company known for its potent malware, DevilsTongue. The report reveals a sprawling surveillance ecosystem with active clusters linked to countries like Hungary, Saudi Arabia, and Indonesia, reinforcing fears that surveillance tech is being wielded far beyond the realm of lawful counterterrorism.
Founded in 2014 by Eran Shorer and Yaakov Weizmann, Candiru—now operating under various aliases including Saito Tech Ltd.—has long been in the spotlight for arming governments with cyber weapons. Known internally and by Microsoft as SOURGUM, the company has evolved from a 12-person startup into a lucrative operation reportedly pulling in $20–30 million annually by 2018, with clients across Europe, the Middle East, Asia, and Latin America.
Despite efforts to evade scrutiny—including frequent rebranding, restructuring, and a name inspired by a parasitic Amazonian fish—Candiru has become one of the most notorious names in spyware. In 2021, the U.S. Department of Commerce added it to the Entity List, citing its spyware’s use in “malicious cyber activities.”
“The use of mercenary spyware like DevilsTongue… poses serious privacy, legal, and safety risks to targets, their organizations, and even the operators.”
At the heart of Candiru’s arsenal lies DevilsTongue, a sophisticated Windows-based spyware with deep system access capabilities. First dissected by Microsoft, the malware features stealthy user- and kernel-mode components, COM hijacking for persistence, and encrypted payloads executed in memory—a setup that allows it to exfiltrate everything from LSASS credentials to Signal messages and browser cookies.
“All additional payloads are decrypted and executed only in memory… allowing the malware to impersonate victims on platforms like Facebook, Gmail, and VK.”
Notably, DevilsTongue uses a signed third-party driver (physmem.sys) to proxy kernel-level API calls, maintaining system stability while evading detection.
Using Recorded Future’s network telemetry, Insikt Group mapped out eight distinct infrastructure clusters, with five still likely active. Among them:
- Hungary: Cluster 1 has been active since 2019. Domains like ambiguouscommerce[.]com and kartingrumble[.]com are still operational. A phishing attempt against MEP Daniel Freund in May 2024 was likely tied to this cluster.
- Saudi Arabia: Cluster 2’s activity dates back to at least 2020, managing servers like macromint[.]net and stylebrakedown[.]com. The infrastructure is accessed directly using static IPs tied to Saudi ISPs.
- Indonesia: One cluster linked to the Indonesian National Police appeared active until November 2024. It was reportedly supported by Singapore-based Heha and originally sourced from Candiru.
- Azerbaijan: Two clusters are “highly likely” tied to Azerbaijani clients, but their current operational status remains unclear.
Other clusters utilize Tor, multi-layer proxies, and infrastructure hosted by major cloud providers like DigitalOcean and Vultr, making attribution and mitigation more difficult.
A leaked project proposal exposed the company’s pricing model: €16 million grants unlimited infection attempts but only allows surveillance on 10 devices simultaneously. Upgrades range from €1.5 to €5.5 million depending on the number of devices and countries targeted.
“One €1.5 million upgrade offers a remote shell capability… raising concern due to its potential use for uploading files or planting incriminating content.”
Despite stating its tools won’t operate in the US, Russia, China, Israel, or Iran, Candiru’s tools have been observed targeting those exact regions—Palestine, Catalonia, Iran, Israel, and beyond.
Candiru has used everything from weaponized Office files, strategic website compromises, and zero-day browser exploits (like CVE-2021-30551 and CVE-2022-2294) to deliver its spyware. Most recently, reports emerged about “Sherlock”, a spyware capability developed by Insanet that infects devices via malicious ads on programmatic ad networks, targeting users by demographics and location.
This innovation underscores a troubling trend: the professionalization of spyware delivery mechanisms that are stealthier, harder to trace, and accessible to more buyers.
In 2025, Integrity Partners, a U.S.-based firm, quietly acquired Candiru for $30 million. Insikt Group discovered the domain integrity-labs[.]ltd and a new Israeli company under the name Integrity Labs Ltd., directed by Naftali (Elad) Yoran. This maneuver may allow Candiru’s operations to continue under a fresh corporate identity—without being on the Entity List.
Related Posts:
- Candiru spyware exploited Chrome 0-day flaw to attack journalists
- Indonesia: If data leaks and fake news are found, Facebook will be blocked
- An oil factory in Saudi Arabia was damaged by malicious software
- Cyber Fattah Breach: Pro-Iranian Hackers Leak Saudi Games Athlete Data in Targeted Info Op
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
