A report from Insikt Group has uncovered fresh infrastructure linked to spyware maker Candiru, indicating ongoing spyware operations tied to DevilsTongue malware, reports The Record, a news site by cybersecurity firm Recorded Future.
The researchers identified eight operational clusters associated with the spyware, five of which are believed to still be active, including those linked to Hungary, Saudi Arabia, and, until recently, Indonesia. Some clusters use Tor or intermediary layers to control spyware infrastructure, while others manage it directly. DevilsTongue, named by Microsoft, has reportedly been delivered through various methods, including phishing links, booby-trapped files, and compromised websites. Insikt Group also discovered a new company, Integrity Labs, that may be connected to the acquisition of Candirus assets by US-based Integrity Partners, which reportedly paid $30 million and created the entity to sidestep US sanctions. Candiru has been on the US Commerce Department's Entity List since 2021. The spyware has previously been used against Catalan independence leaders, according to Citizen Lab.
The researchers identified eight operational clusters associated with the spyware, five of which are believed to still be active, including those linked to Hungary, Saudi Arabia, and, until recently, Indonesia. Some clusters use Tor or intermediary layers to control spyware infrastructure, while others manage it directly. DevilsTongue, named by Microsoft, has reportedly been delivered through various methods, including phishing links, booby-trapped files, and compromised websites. Insikt Group also discovered a new company, Integrity Labs, that may be connected to the acquisition of Candirus assets by US-based Integrity Partners, which reportedly paid $30 million and created the entity to sidestep US sanctions. Candiru has been on the US Commerce Department's Entity List since 2021. The spyware has previously been used against Catalan independence leaders, according to Citizen Lab.
