Candiru, legally registered as Saito Tech, is an Israeli mercenary spyware vendor founded in 2014 in Tel Aviv. The company sells DevilsTongue, a Windows and macOS spyware platform, alongside iOS and Android products. Microsoft’s MSTIC team named the company publicly in July 2021 after documenting DevilsTongue infections in Saudi Arabia, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Singapore, and other geographies. The US Department of Commerce added Candiru to its Entity List in November 2021.
What it means in practice
Candiru tooling operates through one-click links and exploit-chain delivery. Microsoft’s July 2021 report documented two zero-day exploits used by DevilsTongue against Windows. Apple patched at least one Candiru-attributed iOS exploit in 2022. The targeting profile, as documented by Citizen Lab and Microsoft, prioritises dissidents, journalists, lawyers, and political opposition figures rather than mass surveillance. Targets in the 2021 disclosure included at least one academic and one political activist with no apparent law enforcement basis for the operation.
Specific things to know
Candiru’s clients are documented or suspected to include Saudi Arabia, the UAE, Uzbekistan, Singapore, Qatar, and unidentified European customers. The company’s corporate structure separates the operating entity from the legal entity Saito Tech and uses multiple holding company layers documented by Israeli business filings. Pricing for a DevilsTongue licence has been reported at approximately 16 million euros for 10 simultaneous infections, with surcharges for additional targets and exfiltration capacity. The Entity List addition restricts US persons from providing services to the company without an export licence.
Change today
Windows users at potential risk should keep their systems fully updated and consider running additional EDR coverage. iOS users should enable Lockdown Mode. The structural issue, however, is that exploit purchases continue to fund the development cycle even after sanctions, and the Entity List addition has not visibly slowed Candiru operations. The decision for individuals at risk is not which patch to apply but whether to treat their device as the perimeter or to assume the device itself is the exposure.
Related articles
See our coverage of the Microsoft MSTIC investigation, US Entity List actions against commercial spyware vendors, and Citizen Lab forensic findings on DevilsTongue infections.