Advanced Spyware From Israel's Candiru Discovered on Russian, Turkish, Palestinian Computers

The highly-targeted malware is sold by the Israeli firm to clients who use it to spy on journalists, dissidents and others, cybersecurity company ESET says in new report

Amitai Ziv
Amitai Ziv
Send in e-mailSend in e-mail
The entrance to Candiru's Tel Aviv office, in 2018.
The entrance to Candiru's Tel Aviv office, in 2018.Credit: Ofer Vaknin
Amitai Ziv
Amitai Ziv

Spyware made by the Tel Aviv-based hacking tool company Candiru has been found on several computers in Europe and the Middle East, the cybersecurity company ESET reported.

In their September report, ESET wrote that according to research published by Citizen Lab and the Microsoft Threat Intelligence Center in July about Candiru's DevilsTongue malware, it is "sold to third parties, which can abuse it to spy on various victims, including human rights defenders, dissidents, journalists, activists and politicians."

ESET researchers, the report says, "Discovered indications of DevilsTongue malware in our telemetry data, affecting about 10 computers" in Albania, Russia and the Middle East. The malware was found in Israel, the Palestinian territories, Turkey and other parts of the region.

It also states that "The malware is highly targeted: each DevilsTongue victim we identified had a custom sample with PE resources unique to that victim." The mention of the "murky Israeli mercenary spyfirm," as Candiru is dubbed in the report, is likely to perturb Israelis.

In July, Microsoft and Google reported a number of zero-day vulnerabilities found in the Windows operating system and the popular Chrome web browser. Candiru had exploited these vulnerabilities in order to attack targets in about 100 countries, from Iran and Lebanon to Spain and the United Kingdom.

Candiru's CEO, Eitan Achlow.

According to Citizen Lab, in that attack, Candiru's clients used a number of domains, including ones linked to gender and human rights, in order to implant malware into users' web browsers, such as and Their goal was social engineering – exploiting human vulnerabilities to get people to click links and to affected websites.

The intended victims are still not definitively known. The Citizen Lab report said that human rights activists, political dissidents, journalists, human rights workers and politicians were among the targets.

Similar discoveries have been made regarding another Israeli company, NSO, who shares some of its clients with Candiru. Countries like Qatar, Uzbekistan, Saudi Arabia and the United Arab Emirates appear to have patronized NSO alongside Candiru, using the latter's technology for PC computers.

"Candiru's growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab said in its report.

Microsoft fixed the discovered flaws through a software update soon after they were found. The company did not directly attribute the exploits to Candiru, instead referring to it as an "Israel-based private sector offensive actor" under the code name Sourgum.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN


Trump and Netanyahu at the White House in Washington, in 2020.

Three Years Later, Israelis Find Out What Trump Really Thought of Netanyahu

German soldier.

The Rival Jewish Spies Who Almost Changed the Course of WWII

Rio. Not all Jewish men wear black hats.

What Does a Jew Look Like? The Brits Don't Seem to Know

Galon. “I’m coming to accomplish a specific mission: to increase Meretz’s strength and ensure that the party will not tread water around the electoral threshold. If Meretz will be large enough, it will be the basis for a Jewish-Arab partnership.” Daniel Tchetchik

'I Have No Illusions About Ending the Occupation, but the Government Needs the Left'

Soldiers using warfare devices made by the Israeli defense electronics company Elbit Systems.

Russia-Ukraine War Catapults Israeli Arms Industry to Global Stage

Flame and smoke rise during an Israeli air strike, amid Israel-Gaza fighting, in Gaza City August 6, 2022.

Israel Should End Gaza Operation Now, if It Can