Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

Secretive Israeli Exploit Company Behind Wave of Zero-Day Exploits

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

A secretive Israeli commercial surveillance company named after a parasitic freshwater fish is being blamed for supplying Windows and Chrome zero-day exploits to nation-state APT actors.

According to separate reports released simultaneously by Microsoft and Citizen Lab, the Tel Aviv-based Candiru has been caught supplying high-end spyware capable of hijacking data from Windows PCs, Macs, iPhones and Android devices.

The two reports come less than 24 hours after Google’s Threat Analysis Group (TAG) documented four separate zero-day exploits in Chrome, Internet Explorer, and Webkit (Safari) that were created and sold by Candiru to government-backed attackers.

Exploit code from the mysterious Candiru was first observed in .gov hacking operations in Uzbekistan back in 2019 but the company has stayed under the radar while supplying its commercial hacking packages to compromise targets ranging from journalists, politicians, activists and dissidents.

The Citizen Lab report, titled Hooking Candiru, documents how the research outfit scanned the internet and found more than 750 websites linked to Candiru’s spyware infrastructure.  

[ Related: Microsoft Patches 3 Under-Attack Windows Zero-Days ]

Citizen Lab described Candiru as a “mercenary spyware firm” marketing untraceable surveillance software tools to government customers.  The Citizen Lab research team found that Candiru underwent multiple name changes over the years as part of attempts to mask its operations, infrastructure and staff identities.

The company’s exploits have been linked to nation-state malware attacks observed in Uzbekistan, Saudi Arabia and the United Arab Emirates (UAE), Singapore and Qatar.

Citizen Lab provided technical proof of the Candiru Windows spyware capabilities, including the ability to exfiltrate files from the popular encrypted messaging app Signal, and features to steal cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and Opera browsers.

Microsoft’s Threat Intelligence Center (MSTIC) released its own report on Candiru, aka SOURGUM, describing the company as a “private-sector offensive” actor in the business of hawking and using Windows zero-day exploits.

“Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a-service packages, often to government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and other devices,” Microsoft said, warning that these mercenary operations “only adds to the complexity, scale, and sophistication of attacks.” 

[ Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021 ]

The Redmond, Wash. software giant confirmed it partnered with Citizen Lab on a project to disable a malware attack by Candiru that targeted more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents.

Microsoft named the malware DevilsTongue and said victims were scattered around the Palestinian Authority, Israel, Iran, Lebanon, Yemen, Spain (Catalonia), United Kingdom, Turkey, Armenia, and Singapore.

Redmond’s threat hunters found Candiru using a chain of browser and Windows exploits to plant malware on targeted victims.  The browser exploits were distributed via single-use URLs sent via WhatsApp messages.

From Microsoft’s report:

“During the investigation, Microsoft discovered two Windows 0-day exploits for vulnerabilities tracked as CVE-2021-31979 and CVE-2021-33771, both of which have been fixed in the July 2021 security updates. These vulnerabilities allow privilege escalation, giving an attacker the ability to escape browser sandboxes and gain kernel code execution. If customers have taken the July 2021 security update, they are protected from these exploits.”

Earlier this week, Microsoft’s Patch Tuesday bundle included urgent fixes for a pair of Windows kernel privilege escalation flaws that are now being linked to the Candiru operation.

According to Cristin Goodwin, General Manager in Microsoft’s Digital Security Unit, Candiru is in the business of manufacturing and selling “cyberweapons” to be used in precision attacks targeting consumer accounts.

“This is part of broader legal, technical and advocacy work we’re undertaking to address the dangers caused when [private sector offensive actors] build and sell weapons,” Goodwin said, warning that these companies “increase the risk that weapons fall into the wrong hands and threaten human rights.” 

Related: Microsoft Patches 3 Under-Attack Windows Zero-Days 

Related: MS Patch Tuesday: NSA Reports New Critical Exchange Flaws

Related: Google Confirms Sixth Zero-Day Chrome Attack in 2021

Related: Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.