← Back to database

Predaxia Research

Candiru / DevilsTongue

Candiru Ltd. (now Integrity Labs) · Israel

ActiveUS Entity List 2021Integrity Partners 2025
5

Confidence 5/5

VendorCandiru Ltd. (also Saito Tech, Taveta, Grindavik Solutions)
Country of originIsrael
Founded2014
FoundersEran Shorer, Yaakov Weizman
Spyware (Microsoft name)DevilsTongue (tracked as SOURGUM)
Acquired byIntegrity Partners (US) for $30M, 2025. Now operating as Integrity Labs Ltd. (Herzliya)
US Entity ListYes, since November 2021
PricingTens of millions of euros
Predaxia GlossaryWhat it means in practicePlain-English explainer · Threat model · Action steps

Technical capabilities

DevilsTongue is a sophisticated, modular Windows-based spyware written in C and C++ with multi-threaded architecture. Per Microsoft Threat Intelligence analysis (July 2021), it has both user-mode and kernel-mode capabilities and includes novel detection evasion mechanisms.

Capabilities documented by Microsoft and Citizen Lab:

  • File extraction and exfiltration.
  • Browser data collection: cookies, saved passwords from LSASS and Chrome, Internet Explorer, Firefox, Safari, Opera.
  • Decryption and theft of Signal, WhatsApp, Viber, and SMS messages from desktop applications.
  • Camera and microphone hijacking.
  • Capability to send messages as the victim on Facebook, Twitter, Gmail, Yahoo, Mail.ru.
  • Persistence via COM hijacking, replacing legitimate registry keys with malicious DLLs.
  • Encrypted DLLs decrypted only in memory, separate configuration data, advanced detection evasion.

Initial deployment vectors documented by Microsoft include single-use URLs sent via WhatsApp messages, exploiting browser zero-days. Microsoft fixed CVE-2021-31979 and CVE-2021-33771 in July 2021 Patch Tuesday.

August 2025 Recorded Future Insikt Group report identified eight distinct infrastructure clusters tied to Candiru operations, with five highly likely active, including those associated with Hungary and Saudi Arabia.

Documented victims

  • Microsoft detected hacking attempts against more than 100 victims in Palestine, Israel, Iran, Lebanon, Spain, United Kingdom, Turkey, Armenia, and Singapore (July 2021).
  • Targets included politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.
  • April 2022: Citizen Lab confirmed members of the Catalan independence movement targeted with Candiru spyware as part of a Spanish-government-sanctioned domestic surveillance operation (CatalanGate).
  • 2025: Members and affiliates of Hungary’s TISZA Party reported to have been targeted with surveillance attributed to Candiru.
  • Citizen Lab tied over 750 sites to Candiru spyware infrastructure with moderate-high confidence.

Customer states

Per Recorded Future Insikt Group infrastructure analysis (August 2025):

  • Hungary: cluster highly likely active.
  • Saudi Arabia: cluster highly likely active.
  • Indonesia: cluster active until November 2024.
  • Azerbaijan: two clusters identified, status uncertain due to limited visibility.
  • Spain: confirmed via CatalanGate (April 2022).

Legal and sanctions status

  • US Department of Commerce Entity List, since November 2021.
  • 2025: US-based Integrity Partners acquired Candiru’s assets and employees for approximately $30M, transferring them to a new entity (Integrity Labs Ltd., Herzliya) not subject to Entity List restrictions.
  • Candiru has undergone multiple corporate name changes: Saito Tech Ltd., Taveta Ltd., Grindavik Solutions Ltd. This pattern is documented by the Atlantic Council as common among spyware vendors seeking to obscure operations.

Technical countermeasures

  • Microsoft Defender for Endpoint: Microsoft published protections that prevent DevilsTongue infection on updated systems.
  • Patch Windows promptly: CVE-2021-31979 and CVE-2021-33771 patched July 2021.
  • Browser updates: keep Chrome, Edge, Firefox, Safari current.
  • For Signal users on Windows: be aware that DevilsTongue can decrypt Signal messages from the desktop app. Mobile Signal apps are not affected.
Note on the Integrity Labs acquisition. The 2025 transfer of Candiru assets to a new US-owned entity outside the Entity List is documented but does not constitute a vetted reform. This kind of corporate restructuring is a recognized pattern by which sanctioned spyware vendors continue operating.

Sources

  1. Citizen Lab, Hooking Candiru: Another Mercenary Spyware Vendor (July 2021)
  2. Microsoft Threat Intelligence, DevilsTongue malware analysis (July 2021)
  3. Recorded Future Insikt Group, Tracking Candiru’s DevilsTongue Spyware (August 2025)
  4. Citizen Lab, CatalanGate (April 2022)

Update log

February 18, 2026: Documentation set established. Initial sourcing through Citizen Lab, Amnesty Security Lab, Microsoft Threat Intelligence, Google TAG, Lookout, Kaspersky GReAT, US Treasury OFAC, court documents and investigative press.

There’s no perfect setup. Anyone selling you perfect is selling fear. The goal is simple: make yourself a harder target than the person next to you.