Malware

Candiru

First seen: 2019 • Status: active

Currently Active Threat

Candiru makes spy tools that governments buy to watch people through their computers, able to see everything on screen and hear through microphones.

Overview

Candiru develops and sells commercial spyware to governments. Their DevilsTongue malware exploits browser vulnerabilities to compromise Windows and macOS systems for surveillance.

Also Known As

Sourgum, DevilsTongue

How It Spreads

  • Watering hole attacks
  • Browser exploits
  • Malicious links
  • Fake websites

What It Does

  • Browser data theft
  • Credential harvesting
  • Screenshot capture
  • Microphone access
  • File extraction

Is your business exposed?

Target Platforms

Windows, macOS

Detection Tips

  • Monitor for CVE-2021-21166 and CVE-2021-30551 exploitation
  • Check for unusual browser behavior
  • Analyze Windows event logs for persistence
  • Review scheduled tasks

MITRE ATT&CK Techniques

T1189, T1555, T1113, T1123, T1005

If You're Infected

  1. 1.

    Patch all browsers and operating systems immediately

  2. 2.

    Conduct forensic analysis of suspected systems

  3. 3.

    Reset browser profiles and credentials

  4. 4.

    Review organization security posture

Related Malware

Pegasus, Predator, Finspy

Is your business exposed?

Check if your company data is circulating on the dark web

Free scan • No credit card required

Privacy PolicyYour Privacy Choices