top of page
  • Writer's pictureC0SM0

The DevilsTongue | Spyware

Updated: May 1, 2023

// New Israeli spyware attack on Windows machines...


Hey Hackers! Over 100 people, including journalists, politicians, political dissidents, and other activists, were exploited in a spyware attack this past week.

Spyware is a type of malware used to spy and perform reconnaissance on a target


This spyware, labeled "DevilsTongue", is suspected to originate from a company located in Israel. This company, labeled "Candiru" or "Sourgum", is a firm that does surveillance for government agencies. They provide reconnaissance to governments in exchange for cash. It almost serves as a "Spyware as a Service" type deal. They allow for governmental entities to spy on civil society on an international level. Government agencies within the United Kingdom, Saudi Arabia, Hungary, and several others in the eastern hemisphere, have purchased spyware from Candiru.

//How it Works:

DevilsTongue uses Day 0 vulnerabilities to install spyware on Windows computers. It worked through privilege escalation techniques located within Windows Servers. The security flaws were disclosed as CVE-2021-33771 and CVE-2021-31979. It is believed that the spyware resided in activism webpages for BlackLivesMatter [BLM], women's rights, lgbtq+, and other respective parties.

DevilsTongue could also tie itself to domain names, becoming connected to popular domains that mimicked CNN, Euro News, and several activists websites. DevilsTongue would embed itself in links and other areas of the webpage. Once clicked or interacted with, DevilsTongue would install itself onto the user's machine, and they wouldn't notice a thing. Even if the user didn't interact with the page, having Javascript enabled by default allows the webpage to attempt to hijack the computer.

Once hijacked, DevilsTongue installed backdoors and disabled many security features. Clients who purchased the spyware, as well as Candiru, virtually had full access to a victim's computer. They could view and exfiltrate documents, activate the computer's camera and microphone, and even steal credentials [passwords].


The spyware affected over 100 people across ten reported different countries. These countries included The United Kingdom, Israel, Spain, Lebanon, Iran, Singapore, Turkey, Palestine, Armenia, and Yemen. But why was the spyware targeted at activists? Well within the eastern hemisphere, a lot of government entities don't support the act of activism or rebellion against the government. In effect, many activists have received jail times for upwards of 8 years.


Attacks like this are unfortunate. When governments purchase spyware to infiltrate the lives of the civilians they are supposed to serve. If you wish to become safer online and avoid being exploited, please be sure to subscribe to our newsletter where you will be notified of new article uploads. CosmodiumCS will soon be releasing a course on the best practices on online safety and privacy. Those subscribed to the newsletter or YouTube channel will be notified of its release. Thanks for reading, and as always,

Happy Hacking!

// Socials:

© 2021 by Cosmodium CyberSecurity LLC

300 views0 comments

Recent Posts

See All


bottom of page