Insikt Group Reveals Spyware Clusters in Hungary and Saudi Arabia

Recent investigations led by the Insikt Group of Recorded Future have unveiled a new cluster of malware linked to the Israeli spyware company Candiru. This development suggests the possibility that Candiru has undergone a rebranding to circumvent international sanctions, thereby maintaining its operations.
Researchers pinpointed malicious infrastructure clusters in both Hungary and Saudi Arabia, which appear to be part of a larger network utilized for deploying a remote access implant known as DevilsTongue, as identified by Microsoft. Candiru, established in 2014 by former NSO Group staff, specializes in exploiting zero-day vulnerabilities.
In addition to the findings in Hungary and Saudi Arabia, the researchers identified six more infrastructure clusters implicating Candiru’s activity in Indonesia and Azerbaijan. They reported, “Eight distinct clusters were identified, five of which are highly likely to be active, including those associated with Hungary and Saudi Arabia.” One cluster linked to a customer in Indonesia was operational until November 2024, while the status of two Azerbaijan-linked clusters remains uncertain.
DevilsTongue is a Windows-based spyware that enables extensive access to compromised devices, offering capabilities such as file extraction, browser data collection, and the interception of encrypted communications, including those from the Signal app. The malware exploits zero-day vulnerabilities and has previously been associated with a Google Chrome breach affecting Armenia and the Middle East.
Given its technological sophistication and significant costs, the Insikt researchers suggest that such tools are likely directed at high-profile targets, such as politicians and business leaders. A reported victim in Hungary is Daniel Freund, a European Parliament member critical of Hungarian Prime Minister Viktor Orbán.
Despite being placed on a U.S. export blacklist in 2021, which restricts access to U.S.-origin technologies, Candiru reportedly continues to operate. In April, CT Tech revealed that investment firm Integrity Partners acquired the company’s operations for $30 million, effectively transferring its technology and workforce to a new entity that is not subject to U.S. sanctions.
Candiru has undergone multiple rebranding efforts since its inception, having previously operated as Grindavik Solutions in 2018 and Taveta Ltd in 2019, along with the establishment of a subsidiary named Sokoto in 2020. According to Nitansha Bansal from the Atlantic Council, such rebranding practices are common among spyware vendors seeking to obscure their operations and avoid legal restrictions.
Research from the Atlantic Council indicates that jurisdiction hopping is another tactic employed by spyware companies to evade legal frameworks. While international scrutiny of the spyware market continues to intensify through initiatives like the U.S.-led coalition aimed at countering spyware, the industry still thrives due to inconsistent enforcement of regulations and voluntary norms.
Bansal argues for enhanced measures within the EU, which is home to nearly 30% of known spyware vendors, advocating for standardized export licensing and corporate registries to complicate efforts for these companies to obscure their identities and evade detection by authorities.