Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actorExploits 5 CVEs

DevilsTongue

DevilsTongue is a sophisticated, modular Windows spyware/malware associated with the Israeli spyware vendor Candiru, which Microsoft tracks as SOURGUM. Reporting describes it as part of Candiru’s commercial surveillance platform and notes infrastructure used to manage and deliver DevilsTongue across multiple operational clusters, with active clusters linked to countries including Hungary and Saudi Arabia; other reporting also linked clusters to Azerbaijan, Uzbekistan, Spain, and Indonesia. DevilsTongue includes user-mode and kernel-mode components, persistence via COM hijacking, use of the signed driver physmem.sys, and in-memory decryption/execution. Its documented capabilities include credential theft and access to Signal messages; leaked proposal material also described a licensing model based on concurrent infections and optional remote shell capability. Observed delivery and infection vectors include fake shortened URLs redirecting to exploits and the implant, single-use links, malicious Office documents, and watering-hole compromises that profiled visitors before redirecting selected targets to likely browser RCE exploit chains. Public reporting linked Candiru activity to exploitation of Chrome zero-days CVE-2021-21166 and CVE-2021-30551, Internet Explorer zero-day CVE-2021-33742, and later Chrome/WebRTC CVE-2022-2294. ESET assessed with medium confidence that operators behind certain Middle East-focused watering-hole campaigns were Candiru customers. Documented targeting and victimology in the source material include journalists, activists, civil society, diplomats, and political targets, with at least 100 victims globally reported in 2021 and later domestic surveillance reporting involving the Catalan independence movement. Mentioned infrastructure and tradecraft include victim-facing deployment/C2 systems, higher-tier operator infrastructure, intermediary layers, Tor usage in some clusters, and fake shortened URLs used to redirect targets to exploits and the DevilsTongue implant.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

5 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

5 CVES
CVE-2021-33742Windows MSHTML Platform Remote Code Execution VulnerabilityExploited in the wild

In July 2021, Google published a blogpost providing details on exploits used by Candiru. It includes CVE‑2021-21166 and CVE-2021-30551 for Chrome and CVE-2021-33742 for Internet Explorer. | "...fake shortened URLs redirecting to exploits and the DevilsTongue implant."

via eset welivesecurity blogwelivesecurity.com
CVE-2022-2294Heap Buffer Overflow in Google Chrome WebRTCExploited in the wild

"DevilsTongue is a sophisticated, modular Windows malware." | In July 2022, Avast reported that CVE-2022-2294, a high-severity heap buffer overflow vulnerability in WebRTC within Google Chrome, was exploited to execute shellcode in the browser’s renderer process, targeting users in the Middle East.

via recorded future blogrecordedfuture.com
CVE-2021-21166Data race in audio in Google ChromeExploited in the wild

Google’s Threat Analysis Group (TAG) disclosed in 2021 that two Google Chrome renderer remote code execution zero-day vulnerabilities (CVE-2021-21166 and CVE-2021-30551) had been exploited by Candiru... Google TAG discovered that CVE-2021-21166 also affected WebKit, prompting Apple to patch it as CVE-2021-1844; however, there is no evidence it was used against Safari users. | "DevilsTongue is a sophisticated, modular Windows malware."

via recorded future blogrecordedfuture.com
CVE-2021-30551Type Confusion in Google Chrome V8Exploited in the wild

Google’s Threat Analysis Group (TAG) disclosed in 2021 that two Google Chrome renderer remote code execution zero-day vulnerabilities (CVE-2021-21166 and CVE-2021-30551) had been exploited by Candiru. | "DevilsTongue is a sophisticated, modular Windows malware."

via recorded future blogrecordedfuture.com
CVE-2021-1844Memory Corruption in WebKit (CVE-2021-1844)

"DevilsTongue is a sophisticated, modular Windows malware."

via recorded future blogrecordedfuture.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Candiru

“… new server clusters for managing and delivering the company's DevilsTongue spyware.”

via risky biz rssnews.risky.biz
MITRE ATT&CK

Techniques & procedures

14 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1588.001MalwareEvidence1

"The operators probably bought access to Candiru implants." and "...redirecting to exploits and the DevilsTongue implant."

Initial Access

4 techniques
T1078Valid AccountsEvidence1

"...spyware can be deployed through multiple vectors, including... physical access."

T1189Drive-by CompromiseEvidence2

As commercial spyware relies on zero-day exploits for deployment...

T1566.001Spearphishing AttachmentEvidence1

"...campaign targeting Armenian users with malicious Office documents that loaded web content through Internet Explorer... embedding a remote ActiveX object... or... via VBA macros..."

T1566.002Spearphishing LinkEvidence1

"...Candiru has used both actor-controlled links, such as spearphishing emails... Google’s Threat Analysis Group (TAG) disclosed in 2021... exploited by Candiru... distributed via single-use links sent to specific targets..."

Execution

1 technique
T1203Exploitation for Client ExecutionEvidence1

"...two Google Chrome renderer remote code execution zero-day vulnerabilities (CVE-2021-21166 and CVE-2021-30551) had been exploited by Candiru..."; "...served an Internet Explorer zero-day exploit... CVE-2021-33742..."; "...CVE-2022-2294... in WebRTC within Google Chrome..."

Persistence

2 techniques
T1078Valid AccountsEvidence1

"...spyware can be deployed through multiple vectors, including... physical access."

T1546.015Component Object Model HijackingEvidence1

"It maintains persistence via COM hijacking by overwriting a legitimate COM class registry key’s DLL path with a first-stage DLL..."

Privilege Escalation

3 techniques
T1068Exploitation for Privilege EscalationEvidence1

"A signed third-party driver (physmem.sys) enables kernel-level memory access and API call proxying to avoid detection."

T1078Valid AccountsEvidence1

"...spyware can be deployed through multiple vectors, including... physical access."

T1546.015Component Object Model HijackingEvidence1

"It maintains persistence via COM hijacking by overwriting a legitimate COM class registry key’s DLL path with a first-stage DLL..."

Stealth

3 techniques
T1027Obfuscated Files or InformationEvidence1

"...stores encrypted second-stage payloads... The malware’s use of scrubbed metadata, encryption, and unique hashes for each file further complicates detection and analysis."

T1078Valid AccountsEvidence1

"...spyware can be deployed through multiple vectors, including... physical access."

T1620Reflective Code LoadingEvidence1

"All additional payloads are decrypted and executed only in memory..."

Credential Access

3 techniques
T1003.001LSASS MemoryEvidence1

"...allowing the malware to steal credentials from LSASS and browsers..."

T1555.003Credentials from Web BrowsersEvidence1

"...steal credentials from LSASS and browsers... and use browser cookies to impersonate victims on platforms like Facebook, Gmail, and VK."

T1557Adversary-in-the-MiddleEvidence1

"...spyware can be deployed through multiple vectors, including malicious links, weaponized files, man-in-the-middle (MitM) attacks, and physical access."

Collection

1 technique
T1557Adversary-in-the-MiddleEvidence1

"...spyware can be deployed through multiple vectors, including malicious links, weaponized files, man-in-the-middle (MitM) attacks, and physical access."

Command and Control

1 technique
T1071Application Layer ProtocolEvidence1

"...victim-facing components likely used for deploying and controlling Candiru’s DevilsTongue spyware, as well as higher-tier operator infrastructure... others use intermediaries or the Tor network."

INDICATORS OF COMPROMISE

IOCs tracked for this family

9 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
7 tracked

IPs, domains, and DNS infrastructure linked to this family.

Other
2 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app11 months ago
domain●●●●●●●●●●●●View more in app11 months ago
domain●●●●●●●●●●●●View more in app5 years ago
domain●●●●●●●●●●●●View more in app5 years ago
domain●●●●●●●●●●●●View more in app5 years ago
ip.v4●●●●●●●●●●●●View more in app5 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
recorded future blogNews
Jun 17, 2026
State Digital Surveillance Risk Landscape

Spyware associated with Candiru and used for surveillance deployments, with active infrastructure clusters identified in multiple countries.

Read more
recorded future blogNews
Dec 17, 2025
Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ

Commercial spyware (attributed here to Candiru) used to enable intrusive monitoring/surveillance, often in domestic security contexts.

Read more
risky biz rssNews
Aug 6, 2025
Risky Bulletin: Russia to designate ERPs as "critical information infrastructure"

Commercial spyware attributed to vendor Candiru; infrastructure used for delivery/management remains active across multiple geographies.

Read more
recorded future blogNews
Aug 5, 2025
Tracking Candiru’s DevilsTongue Spyware in Multiple Countries

Windows-based mercenary spyware attributed to Candiru. Modular, multi-threaded C/C++ malware with user- and kernel-mode components; supports deep device access including file extraction, browser data collection, credential theft (including LSASS and browsers), and theft of encrypted Signal Desktop messages. Uses stealth/persistence techniques including COM hijacking (registry COM class DLL path overwrite), encrypted staged payload storage, in-memory decryption/execution, and a signed third-party driver (physmem.sys) for kernel memory access and API call proxying; also uses scrubbed metadata, encryption, and per-file unique hashes to hinder detection/analysis.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching9

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities5

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping14

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.