Candiru

Candiru is an Israeli private sector offensive actor and spyware vendor. Known aliases in the provided content include Caramel Tsunami and DEV-0236; Microsoft also tracks activity linked to Candiru as SOURGUM. The company is described as a mercenary hacking company and commercial legal entity that creates and sells cyberweapons to government customers. It was added to the U.S. Department of Commerce Entity List in November 2021. Candiru is associated with the DevilsTongue spyware, described as a sophisticated modular Windows spyware with user- and kernel-mode components, persistence via COM hijacking, use of a signed driver (physmem.sys), in-memory decryption and execution, and capabilities to steal credentials and access Signal messages. Recorded Future identified victim-facing deployment and command-and-control infrastructure as well as higher-tier operator infrastructure linked to Candiru, and reported eight distinct operational clusters, with five assessed as likely still active, including clusters linked to Hungary and Saudi Arabia. Other reporting in the content links Candiru-associated activity to customers or clusters tied to Indonesia, Azerbaijan, Saudi Arabia, the UAE, Uzbekistan, and Hungary. The content states Candiru spyware has targeted journalists, dissidents, civil society, and political figures. Citizen Lab reported at least 65 individuals were targeted or infected with Pegasus or Candiru in the CatalanGate case, including four targeted or infected with Candiru, and identified Joan Matamala as a confirmed Candiru victim. Microsoft and Citizen Lab reported Candiru spyware had compromised at least 100 victims globally across multiple countries and victim categories. The content also notes reporting that German MEP Daniel Freund was likely targeted by spyware originating from Candiru before EU elections. Candiru-linked exploitation in the provided content includes use of Windows zero-days CVE-2021-31979 and CVE-2021-33771, Chrome zero-days CVE-2021-21166 and CVE-2021-30551, an Internet Explorer zero-day later assigned CVE-2021-33742, and reported exploitation of Chrome/WebRTC CVE-2022-2294. ESET linked watering-hole activity targeting high-profile Middle Eastern websites, especially Yemen-related sites, to operators assessed with medium confidence to be Candiru customers. That activity used compromised websites for visitor profiling and selective redirection toward likely browser exploit chains. The content also references Candiru phishing infrastructure and impersonation themes involving the Government of Spain, the World Health Organization, Barcelona’s Mercantile Registry, and Mobile World Congress. The provided content describes Candiru as founded in 2014 by Eran Shorer and Yaakov Weizmann and operating as Saito Tech Ltd.; it also references DF Associates Ltd. and Grindavik Solutions Ltd. as later corporate names. A 2025 report cited in the content states Candiru was acquired by Integrity Partners and that assets and employees were transferred to a newly established entity, with Integrity Labs Ltd. identified as a suspected related company.