Advanced Spyware From Israel's Candiru Discovered on Russian, Turkish, Palestinian Computers

The highly-targeted malware is sold by the Israeli firm to clients who use it to spy on journalists, dissidents and others, cybersecurity company ESET says in new report

Amitai Ziv
Amitai Ziv
The entrance to Candiru's Tel Aviv office, in 2018.
The entrance to Candiru's Tel Aviv office, in 2018.Credit: Ofer Vaknin
Amitai Ziv
Amitai Ziv

Spyware made by the Tel Aviv-based hacking tool company Candiru has been found on several computers in Europe and the Middle East, the cybersecurity company ESET reported.

In their September report, ESET wrote that according to research published by Citizen Lab and the Microsoft Threat Intelligence Center in July about Candiru's DevilsTongue malware, it is "sold to third parties, which can abuse it to spy on various victims, including human rights defenders, dissidents, journalists, activists and politicians."

ESET researchers, the report says, "Discovered indications of DevilsTongue malware in our telemetry data, affecting about 10 computers" in Albania, Russia and the Middle East. The malware was found in Israel, the Palestinian territories, Turkey and other parts of the region.

It also states that "The malware is highly targeted: each DevilsTongue victim we identified had a custom sample with PE resources unique to that victim." The mention of the "murky Israeli mercenary spyfirm," as Candiru is dubbed in the report, is likely to perturb Israelis.

In July, Microsoft and Google reported a number of zero-day vulnerabilities found in the Windows operating system and the popular Chrome web browser. Candiru had exploited these vulnerabilities in order to attack targets in about 100 countries, from Iran and Lebanon to Spain and the United Kingdom.

Candiru's CEO, Eitan Achlow.

According to Citizen Lab, in that attack, Candiru's clients used a number of domains, including ones linked to gender and human rights, in order to implant malware into users' web browsers, such as and Their goal was social engineering – exploiting human vulnerabilities to get people to click links and to affected websites.

The intended victims are still not definitively known. The Citizen Lab report said that human rights activists, political dissidents, journalists, human rights workers and politicians were among the targets.

Similar discoveries have been made regarding another Israeli company, NSO, who shares some of its clients with Candiru. Countries like Qatar, Uzbekistan, Saudi Arabia and the United Arab Emirates appear to have patronized NSO alongside Candiru, using the latter's technology for PC computers.

"Candiru's growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse," Citizen Lab said in its report.

Microsoft fixed the discovered flaws through a software update soon after they were found. The company did not directly attribute the exploits to Candiru, instead referring to it as an "Israel-based private sector offensive actor" under the code name Sourgum.

Click the alert icon to follow topics:



Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN


Yair Lapid.

Yair Lapid Is the Most Israeli of All

An El Al jet sits on the tarmac at John C. Munro International Airport in Hamilton, Thursday, in 2003.

El Al to Stop Flying to Toronto, Warsaw and Brussels

An anti-abortion protester holds a cross in front of the U.S. Supreme Court in Washington, D.C.

Roe v. Wade: The Supreme Court Leaves a Barely United States

A young Zeschke during down time, while serving with the Wehrmacht in Scandinavia.

How a Spanish Beach Town Became a Haven for Nazis

Ayelet Shaked.

What's Ayelet Shaked's Next Move?

A Palestinian flag is taken down from a building by Israeli authorities after being put up by an advocacy group that promotes coexistence between Palestinians and Israelis, in Ramat Gan, Israel earlier this month

Israel-Palestine Confederation: A Response to Eric Yoffie