Candiru
Candiru is mercenary spyware referenced in reporting on government digital surveillance and politically motivated targeting of journalists, civil society, and political figures. The content states that from 2024 to 2026, Insikt Group found evidence that at least 16 countries deployed Predator or Candiru spyware against journalists and civil society members, including Angola, Armenia, Azerbaijan, Botswana, the Democratic Republic of the Congo, Egypt, Hungary, Indonesia, Iraq, Kazakhstan, Mongolia, Mozambique, Oman, the Philippines, Saudi Arabia, and Trinidad and Tobago. In August 2025, Insikt Group identified new infrastructure associated with Candiru, including components likely used to deploy DevilsTongue spyware, with active clusters linked to Hungary and Saudi Arabia. Citizen Lab’s CatalanGate reporting documented targeting of Catalan politicians, lawyers, civil society members, and associates with mercenary spyware, including four individuals targeted or infected with Candiru and at least one confirmed infection; at least two individuals were affected by both Pegasus and Candiru. Citizen Lab identified Joan Matamala as the previously unnamed patient zero from its 2021 Hooking Candiru research and confirmed a live persistent Candiru infection on his device. With Matamala’s consent, Citizen Lab shared forensic traces with Microsoft, which identified more than 100 Candiru victims across ten countries. Microsoft found Candiru used Windows zero-days CVE-2021-31979 and CVE-2021-33771, patched in July 2021. Additional Catalan targets identified by Citizen Lab included Elies Campo, Xavier Vives, and Pau Escrich, who were targeted by email. Candiru phishing emails used the domain stat[.]email and impersonated the Government of Spain, the World Health Organization, Barcelona’s Mercantile Registry, and Mobile World Congress; Citizen Lab linked stat[.]email to customized Candiru customer infrastructure. The content also describes a 2024 attempted targeting of German MEP Daniel Freund with Candiru spyware via an email posing as a Ukrainian student; Freund reported he did not click the link and his phone was not infected. High-confidence indicators and artifacts mentioned in the content include the domain stat[.]email, the malware name DevilsTongue in connection with Candiru infrastructure, and exploitation of CVE-2021-31979 and CVE-2021-33771.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Microsoft also discovered two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) employed by Candiru to infect Windows systems, and patched them in July 2021. | Finding: Catalans Targeted with Candiru. In July 2021, we published “Hooking Candiru,” in which we identified and analysed Candiru’s mercenary spyware, in cooperation with Microsoft.
Microsoft also discovered two zero-day vulnerabilities (CVE-2021-31979, CVE-2021-33771) employed by Candiru to infect Windows systems, and patched them in July 2021. | Finding: Catalans Targeted with Candiru. In July 2021, we published “Hooking Candiru,” in which we identified and analysed Candiru’s mercenary spyware, in cooperation with Microsoft.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Finding: Catalans Targeted with Candiru. In July 2021, we published “Hooking Candiru,” in which we identified and analysed Candiru’s mercenary spyware, in cooperation with Microsoft.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
2 techniques
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
As commercial spyware relies on zero-day exploits for deployment, Insikt Group previously assessed that, in addition to posing serious human rights concerns, its misuse threatens the broader cyber ecosystem by enabling the proliferation of critical vulnerabilities.
Stealth
1 technique
Stealth
Credential Access
1 technique
Credential Access
IOCs tracked for this family
38 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial spyware deployed by governments against journalists and civil society members.
Commercial spyware vendor/tooling referenced as deployed by governments for surveillance operations.
Commercial spyware used for covert surveillance and attempted compromise of mobile devices (in this case, delivered via a socially engineered email lure).
Mercenary spyware used to infect Windows systems and provide extensive access to victim devices, including extracting files and browser content, stealing messages from Signal Desktop, and using victims’ cloud accounts to send or post messages. It was delivered in this case via targeted phishing emails.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.