{
	"id": "be927d41-147f-4f32-bbf7-8935f4d22a69",
	"created_at": "2026-04-06T00:09:52.900221Z",
	"updated_at": "2026-04-10T03:33:20.523314Z",
	"deleted_at": null,
	"sha1_hash": "052c37c25ab2d0f6afba0f3b1881b10053e09ba2",
	"title": "Hooking Candiru: Another Mercenary Spyware Vendor Comes into Focus - The Citizen Lab",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 907393,
	"plain_text": "Hooking Candiru: Another Mercenary Spyware Vendor Comes\r\ninto Focus - The Citizen Lab\r\nArchived: 2026-04-05 17:35:02 UTC\r\nSummary\r\nCandiru is a secretive Israel-based company that sells spyware exclusively to governments. Reportedly,\r\ntheir spyware can infect and monitor iPhones, Androids, Macs, PCs, and cloud accounts.\r\nUsing Internet scanning we identified more than 750 websites linked to Candiru’s spyware infrastructure.\r\nWe found many domains masquerading as advocacy organizations such as Amnesty International, the\r\nBlack Lives Matter movement, as well as media companies, and other civil-society themed entities.\r\nWe identified a politically active victim in Western Europe and recovered a copy of Candiru’s Windows\r\nspyware. \r\nWorking with Microsoft Threat Intelligence Center (MSTIC) we analyzed the spyware, resulting in the\r\ndiscovery of CVE-2021-31979 and CVE-2021-33771 by Microsoft, two privilege escalation\r\nvulnerabilities exploited by Candiru. Microsoft patched both vulnerabilities on July 13th, 2021.\r\nAs part of their investigation, Microsoft observed at least 100 victims in Palestine, Israel, Iran, Lebanon,\r\nYemen, Spain, United Kingdom, Turkey, Armenia, and Singapore. Victims include human rights defenders,\r\ndissidents, journalists, activists, and politicians.\r\nWe provide a brief technical overview of the Candiru spyware’s persistence mechanism and some details\r\nabout the spyware’s functionality.\r\nCandiru has made efforts to obscure its ownership structure, staffing, and investment partners.\r\nNevertheless, we have been able to shed some light on those areas in this report.\r\n1. Who is Candiru?\r\nThe company known as “Candiru,” based in Tel Aviv, Israel, is a mercenary spyware firm that markets\r\n“untraceable” spyware to government customers. Their product offering includes solutions for spying on\r\ncomputers, mobile devices, and cloud accounts.\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 1 of 14\n\nA Deliberately Opaque Corporate Structure\r\nCandiru makes efforts to keep its operations, infrastructure, and staff identities opaque to public scrutiny. Candiru\r\nLtd. was founded in 2014 and has undergone several name changes2 (see Table 1). Like many mercenary spyware\r\ncorporations, the company reportedlyrecruits from the ranks of Unit 8200, the signals intelligence unit of the\r\nIsraeli Defence Forces.\r\nWhile the company’s current name is Saito Tech Ltd, we will refer to them as “Candiru” as they are most well\r\nknown by that name. The firm’s corporate logo appears to be a silhouette of the reputedly-gruesome Candiru fish\r\nin the shape of the letter “C.” \r\nCompany Name\r\nDate of\r\nRegistration\r\nPossible Meaning\r\nSaito Tech Ltd. (בעיימ טק סאייטו (2020” Saito” is a town in Japan\r\n2019 (טאבטה בעיימ) .Ltd Taveta\r\n“Taveta” is a town in\r\nKenya\r\nGrindavik Solutions Ltd. (גרינדוויק\r\n(פתרונות בעיימ\r\n2018\r\n“Grindavik” is a town in\r\nIceland\r\nד. אפ אסוסיאייטס) .Ltd Associates DF\r\n(בעיימ\r\n2017 ?\r\nCandiru Ltd. (בעיימ קנדירו (2014 A parasitic freshwater fish\r\nTable 1\r\nCandiru’s corporate registrations over time\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 2 of 14\n\nCandiru has at least one subsidiary: Sokoto Ltd.3\r\n Section 5 provides further documentation of Candiru’s corporate\r\nstructure and ownership.\r\nReported Sales and Investments\r\nAccording to a lawsuit brought by a former employee, Candiru had sales of “nearly $30 million,” within two years\r\nof its founding. The firm’s reported clients are located in “Europe, the former Soviet Union, the Persian Gulf, Asia\r\nand Latin America.” Additionally, reports of possible deals with several countries have been published: \r\nUzbekistan: In a 2019 presentation at the Virus Bulletin security conference, a Kaspersky Lab researcher\r\nstated that Candiru likely sold its spyware to Uzbekistan’s National Security Service.\r\nSaudi Arabia \u0026 the UAE: The same presentation also mentioned Saudi Arabia and the UAE as likely\r\nCandiru customers.\r\nSingapore: A 2019 Intelligence Online report mentions that Candiru was active in soliciting business from\r\nSingapore’s intelligence services.\r\nQatar: A 2020 Intelligence Online report notes that Candiru “has become closer to Qatar.” A company\r\nlinked to Qatar’s sovereign wealth fund has invested in Candiru. No information on Qatar-based customers\r\nhas yet emerged,\r\nCandiru’s Spyware Offerings\r\nA leaked Candiru project proposal published by TheMarker shows that Candiru’s spyware can be installed using a\r\nnumber of different vectors, including malicious links, man-in-the-middle attacks, and physical attacks.  A vector\r\nnamed “Sherlock” is also offered, that they claim works on Windows, iOS, and Android. This may be a browser-based zero-click vector.\r\nLike many of its peers, Candiru appears to license its spyware by number of concurrent infections, which reflects\r\nthe number of targets that can be under active surveillance at any one instant in time. Like NSO Group, Candiru\r\nalso appears to restrict the customer to a set of approved countries.\r\nThe €16 million project proposal allows for an unlimited number of spyware infection attempts, but the\r\nmonitoring of only 10 devices simultaneously. For an additional €1.5M, the customer can purchase the ability to\r\nmonitor 15 additional devices simultaneously, and to infect devices in a single additional country. For an\r\nadditional €5.5M, the customer can monitor 25 additional devices simultaneously, and conduct espionage in five\r\nmore countries.\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 3 of 14\n\nThe fine print in the proposal states that the product will operate in “all agreed upon territories, ”then mentions a\r\nlist of restricted countries including the US, Russia, China, Israel and Iran.  This same list of restricted countries\r\nhas previously been mentioned by NSO Group.  Nevertheless, Microsoft observed Candiru victims in Iran,\r\nsuggesting that in some situations, products from Candiru do operate in restricted territories. In addition, targeting\r\ninfrastructure disclosed in this report includes domains masquerading as the Russian postal service.\r\nThe proposal states that the spyware can exfiltrate private data from a number of apps and accounts including\r\nGmail, Skype, Telegram, and Facebook. The spyware can also capture browsing history and passwords, turn on\r\nthe target’s webcam and microphone, and take pictures of the screen. Capturing data from additional apps, such as\r\nSignal Private Messenger, is sold as an add-on.\r\nFor a further additional €1.5M fee, customers can purchase a remote shell capability, which allows them full\r\naccess to run any command or program on the target’s computer. This kind of capability is especially concerning,\r\ngiven that it could also be used to download files, such as planting incriminating materials, onto an infected\r\ndevice.\r\n2. Finding Candiru’s Malware In The Wild \r\nUsing telemetry data from Team Cymru, along with assistance from civil society partners, the Citizen Lab was\r\nable to identify a computer that we suspected contained a persistent Candiru infection. We contacted the owner of\r\nthe computer, a politically active individual in Western Europe, and arranged for the computer’s hard drive to be\r\nimaged. We ultimately extracted a copy of Candiru’s spyware from the disk image.\r\nWhile analysis of the extracted spyware is ongoing, this section outlines initial findings about the spyware’s\r\npersistence \r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 4 of 14\n\nPersistence\r\nCandiru’s spyware was persistently installed on the computer via COM hijacking of the following registry key:\r\nHKEY_LOCAL_MACHINESoftwareClassesCLSID{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}InprocServer32\r\nNormally, this registry key’s value points to the benign Windows Management Instrumentation wmiutils.dll\r\nfile, but the value on the infected computer had been modified to point to a malicious DLL file that had been\r\ndropped inside the Windows system folder associated with the Japanese input method (IMEJP)\r\nC:WINDOWSsystem32imeIMEJPIMJPUEXP.DLL . This folder is benign and included in a default install of Windows 10,\r\nbut IMJPUEXP.DLL is not the name of a legitimate Windows component.\r\nWhen Windows boots, it automatically loads the Windows Management Instrumentation service, which involves\r\nlooking up the DLL path in the registry key, and then invoking the DLL.\r\nLoading the Spyware’s Configuration\r\nThe IMJPUEXP DLL file has eight blobs in the PE resources section with identifiers 102, 103, 105, 106, 107, 108,\r\n109, 110. The DLL decrypts these using an AES key and IV that are hardcoded in the DLL. Decryption is via\r\nWindows CryptoAPI, using AES-256-CBC.\r\nOf particular note is resource 102, which contains the path to the legitimate wmiutils.dll, which is loaded after the\r\nspyware, ensuring that the COM hijack does not disrupt normal Windows functionality. Resource 103 points to a\r\nfile AgentService.dat in a folder created by the spyware,\r\nC:WINDOWSsystem32configsppLicensescurvconfigtracing . Resource 105 points to a second file in the same\r\ndirectory, KBDMAORI.dat .\r\nIMJPUEXP.DLL decrypts and loads the AgentService.dat file whose path is in resource 103, using the same AES\r\nkey and IV, and decompresses it via zlib. AgentService.dat file then loads the file in resource 105,\r\nKBDMAORI.dat, using a second AES key and IV hardcoded in AgentService.dat, and performs the decryption\r\nusing a statically linked OpenSSL. Decrypting KBDMAORI.DAT yields a file with a series of nine encrypted\r\nblobs, each prefixed with an 8-byte little-endian length field. Each blob is encrypted with the same AES key and\r\nIV used to decrypt KBDMAORI.DAT, and is then zlib compressed.\r\nThe first four encrypted blobs appear to be DLLs from the Microsoft Visual C++ redistributable:\r\nvcruntime140.dll, msvcp140.dll, ucrtbase.dll, concrt140.dll. The subsequent blobs are part of the spyware,\r\nincluding components that are apparently called Internals.dll and Help.dll.  Both the Microsoft DLLs and the\r\nspyware DLLs in KBDMAORI.DAT are lightly obfuscated.  Reverting the following modifications makes the\r\nfiles valid DLLs:\r\n1. The first two bytes of the file (MZ) have been zeroed.\r\n2. The first 4 bytes of NT header (x50x45x00x00) have been zeroed.\r\n3. The first 2 bytes of the optional header (x0bx02) have been zeroed.\r\n4. The strings in the import directory have been XOR obfuscated, using a 48-byte XOR key hardcoded in\r\nAgentService.dat:\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 5 of 14\n\n6604F922F90B65F2B10CE372555C0A0C0C5258B6842A83C7DC2EE4E58B363349F496E6B6A587A88D0164B74DAB9E6B58\r\nThe final blob in KBDMAORI.DAT is the spyware’s configuration in JSON format.  The configuration is\r\nsomewhat obfuscated, but clearly contains Base64 UTF-16 encoded URLs for command-and-control.\r\nThe C\u0026C servers in the configuration are:\r\nhttps://msstore[.]io\r\nhttps://adtracker[.]link\r\nhttps://cdnmobile[.]io\r\nAll three domain names pointed to 185.181.8[.]155. This IP address was connected to three other IPs that matched\r\nour Candiru fingerprint CF1 (Section 3).\r\nSpyware Functionality\r\nWe are still reversing most of the spyware’s functionality, but Candiru’s Windows payload appears to include\r\nfeatures for exfiltrating files, exporting all messages saved in the Windows version of the popular encrypted\r\nmessaging app Signal, and stealing cookies and passwords from Chrome, Internet Explorer, Firefox, Safari, and\r\nOpera browsers. The spyware also makes use of a legitimate signed third-party driver, physmem.sys:\r\nc299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d\r\nMicrosoft’s analysis also established that the spyware could send messages from logged-in email and social media\r\naccounts directly on the victim’s computer. This could allow malicious links or other messages to be sent directly\r\nfrom a compromised user’s computer.  Proving that the compromised user did not send the message could be quite\r\nchallenging.\r\n3. Mapping Candiru’s Command \u0026 Control Infrastructure\r\nTo identify the websites used by Candiru’s spyware, we developed four fingerprints and a new Internet scanning\r\ntechnique. We searched historical data from Censys and conducted our own scans in 2021. This led us to identify\r\nat least 764 domain names that we assess with moderate-high confidence to be used by Candiru and its customers.\r\nExamination of the domain names indicates a likely interest in targets in Asia, Europe, the Middle East, and North\r\nAmerica.  \r\nAdditionally, based on our analysis of Internet scanning data, we believe that there are Candiru systems operated\r\nfrom Saudi Arabia, Israel, UAE, Hungary, and Indonesia, among other countries.\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 6 of 14\n\nOPSEC Mistake by Candiru Leads to their Infrastructure\r\nUsing Censys, we found a self-signed TLS certificate that included the email address\r\n“amitn@candirusecurity.com”. We attributed the candirusecurity[.]com domain name to Candiru Ltd, because a\r\nsecond domain name (verification[.]center) was registered in 2015 with a candirusecurity[.]com email address\r\nand a phone number (+972-54-2552428) listed by Dun \u0026 Bradstreet as the fax number for Candiru Ltd, also\r\nknown as Saito Tech Ltd.\r\nCensys data records that a total of six IP addresses returned this certificate: 151.236.23[.]93, 69.28.67[.]162,\r\n176.123.26[.]67, 52.8.109[.]170, 5.135.115[.]40, 185.56.89[.]66. The latter four of these IP addresses subsequently\r\nreturned another certificate, which we fingerprinted (Fingerprint CF1) based on distinctive features.  We\r\nsearched Censys data for this fingerprint.\r\nSELECT parsed.fingerprint_sha256\r\nFROM`censys-io.certificates_public.certificates`\r\nWHERE parsed.issuer_dn IS NULL\r\n AND parsed.subject_dn IS NULL\r\n AND parsed.validity.length = 8639913600\r\n AND parsed.extensions.basic_constraints.is_ca\r\nWe found 42 certificates on Censys matching CF1. We observed that six IPs matching CF1 certificates later\r\nreturned certificates that matched a second fingerprint we devised, CF2. The CF2 fingerprint is based on\r\ncertificates that match those generated by a “Fake Name” generator. We first ran an SQL query on Censys data for\r\nthe fingerprint, and then filtered by a list of fake names.\r\nSELECT parsed.fingerprint_sha256, parsed.subject_dn\r\nFROM`censys-io.certificates_public.certificates`\r\nWHERE (parsed.subject_dn = parsed.issuer_dn\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 7 of 14\n\nAND REGEXP_CONTAINS (parsed.subject_dn, r\"^O=[A-Z][a-z]+,,?\r\n CN=[a-z]+.(com|net|org)+$\")\r\nAND parsed.extensions.basic_constraints.is_ca\r\nTable 3\r\nFingerprint CF2 SQL Query\r\nThe SQL query yielded 572 results. We filtered the results, requiring the TLS certificate’s organization in the\r\nparsed.subject_dn field to contain an entry from the list of 475 last names in the Perl Data-Faker module. We\r\nsuspect that Candiru is using either this Perl module, or another module that uses the same word list, to generate\r\nfake names for TLS certificates. Neither the Perl Data-Faker module, nor other similar modules (e.g., the Ruby\r\nFaker Gem, or the PHP Faker module) appear to have built-in functionality for generating fake TLS certificates.\r\nThus, we suspect that the TLS certificate generation code is custom code written by Candiru. After filtering, we\r\nfound 542 matching certificates.\r\nWe then developed an HTTP fingerprint, called BRIDGE, with which we scanned the Internet and built a third\r\nTLS fingerprint, CF3. We are keeping the BRIDGE and CF3 fingerprints confidential for now in order to\r\nmaintain visibility into Candiru’s infrastructure.\r\nOverlap with CHAINSHOT\r\nOne of the IPs that matched our CF1fingerprint, 185.25.50[.]194, was pointed to by\r\ndl.nmcyclingexperience[.]com, which is mentioned as a final URL of a spyware payload delivered by the\r\nCHAINSHOT exploit kit in a 2018 report. CHAINSHOT is believed to be linked to Candiru, though no public\r\nreports have outlined the basis for this attribution, until now. Kaspersky has observed UAE hacking group Stealth\r\nFalcon4 using CHAINSHOT, as well as an Uzbekistan-based customer that they call SandCat. While numerous\r\nanalyses have focused on various CHAINSHOT exploitation techniques, we have not seen any public work that\r\nexamines Candiru’s final Windows payload.\r\nOverlap with Google TAG Research\r\nOn 14 July 2021, Google’s Threat Analysis Group (TAG) published a report that mentions two Chrome zero-day\r\nexploits that TAG observed used against targets (CVE-2021-21166 and CVE-2021-30551).  The report mentions\r\nnine websites that Google determined were used to distribute the exploits.  Eight of these websites pointed to IP\r\naddresses that matched our CF3 Candiru fingerprint.  We thus believe that the attacks that Google observed\r\ninvolving these Chrome exploits were linked to Candiru.\r\nGoogle also linked a further Microsoft Office exploit they observed (CVE-2021-33742) to the same operator.\r\nTargeting Themes\r\nExamination of Candiru’s targeting infrastructure permits us to make guesses about the location of potential\r\ntargets, and topics and themes that Candiru operators believed that targets would find relevant and enticing.\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 8 of 14\n\nSome of the themes strongly suggest that the targeting likely concerned civil society and political activity. This\r\ntroubling indicator matches with Microsoft’s observation of the extensive targeting of members of civil society,\r\nacademics, and the media with Candiru’s spyware. We observed evidence of targeting infrastructure masquerading\r\nas media, advocacy organizations, international organizations, and others (see: Table 4). \r\nWe found many aspects of this targeting concerning, such as the domain blacklivesmatters[.]info, which may be\r\nused to target individuals interested in or affiliated with this movement.  Similarly, infrastructure masquerading as\r\nAmnesty International and Refugee International are troubling, as are lookalike domains for the United Nations,\r\nWorld Health Organization, and other international organizations.  We also found the targeting theme of gender\r\nstudies (e.g. womanstudies[.]co \u0026 genderconference[.]org)  to be particularly interesting and warranting further\r\ninvestigation.\r\nTheme Example Domains Masquerading as\r\nInternational Media\r\ncnn24-7[.]online CNN\r\ndw-arabic[.]com Deutsche Welle\r\neuro-news[.]online Euronews\r\nrasef22[.]com Raseef22\r\nfrance-24[.]news France 24\r\nAdvocacy\r\nOrganizations\r\namnestyreports[.]com  Amnesty International\r\nblacklivesmatters[.]info Black Lives Matter movement\r\nrefugeeinternational[.]org Refugees International\r\nGender Studies\r\nwomanstudies[.]co Academic theme\r\ngenderconference[.]org Academic conference\r\nTech Companies\r\ncortanaupdates[.]com  Microsoft\r\ngooglplay[.]store Google\r\napple-updates[.]online Apple\r\namazon-cz[.]eu Amazon\r\ndrpbx-update[.]net Dropbox\r\nlenovo-setup[.]tk Lenovo\r\nkonferenciya-zoom[.]com\r\nZoom\r\nzcombinator[.]co Y Combinator\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 9 of 14\n\nTheme Example Domains Masquerading as\r\nSocial Media\r\nlinkedin-jobs[.]com LinkedIn\r\nfaceb00k-live[.]com Facebook\r\nminstagram[.]net Instagram\r\ntwitt-live[.]com Twitter\r\nyoutubee[.]life YouTube\r\nPopular Internet\r\nWebsites\r\nwikipediaathome[.]net Wikipedia\r\nInternational\r\nOrganizations\r\nosesgy-unmissions[.]org\r\nOffice of the Special Envoy of the\r\nSecretary-General for Yemen\r\nun-asia[.]co United Nations\r\nwhoint[.]co World Health Organization\r\nGovernment\r\nContractors\r\nvesteldefnce[.]io Turkish defense contractor\r\nvfsglobal[.]fr Visa services provider\r\nTable 4\r\nSome targeting themes observed in Candiru domains.\r\nA range of targeting domains appears to be reasonably country-specific (see: Table 5). We believe these domain\r\nthemes indicate likely countries of targets and not necessarily the countries of the operators themselves.\r\nCountry Example Domain What is This Likely Impersonating?\r\nIndonesia indoprogress[.]co Left-leaning Indonesian publication\r\nRussia pochtarossiy[.]info Russian postal service\r\nCzechia kupony-rohlik[.]cz Czech grocery\r\nArmenia armenpress[.]net State news agency of Armenia\r\nIran tehrantimes[.]org English-language daily newspaper in Iran\r\nTurkey yeni-safak[.]com  Turkish newspaper\r\nCyprus cyprusnet[.]tk A portal providing information on Cypriot businesses.\r\nAustria oiip[.]org Austrian Institute for International Affairs\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 10 of 14\n\nCountry Example Domain What is This Likely Impersonating?\r\nPalestine\r\nlwaeh-iteham-alasra[.]comWebsite that publishes Israeli court indictments of\r\nPalestinian prisoners\r\nSaudi\r\nArabia\r\nmbsmetoo[.]com\r\nWebsite for “an international campaign to support the\r\ncase of Jamal Khashoggi” and other cases against Saudi\r\nCrown Prince Mohammed bin Salman\r\nSlovenia\r\ntotal-slovenia-news[.]net\r\nEnglish-language Slovenian news site.\r\nTable 5\r\nSome country themes observed in Candiru domains.\r\n4. A Saudi-Linked Cluster?\r\nA document was uploaded from Iran to VirusTotal that used an AutoOpen Macro to launch a web browser, and\r\nnavigated the browser to the URL https://cuturl[.]space/lty7uw, which VirusTotal recorded as redirecting to a\r\nURL, https://useproof[.]cc/1tUAE7A2Jn8WMmq/api, that mentions a domain we linked to Candiru,\r\nuseproof[.]cc.  The domain useproof[.]cc pointed to 109.70.236.107, which matched our fingerprint CF3.\r\nThe document was blank, except for a graphic containing the text “Minister of Foreign Affairs of the Islamic\r\nRepublic of Iran.”\r\nWe fingerprinted the behaviour of cuturl[.]space and traced it to five other URL shorteners: llink[.]link,\r\ninstagrarn[.]co, cuturl[.]app, url-tiny[.]co, and bitly[.]tel. Interestingly, several of these domains were flagged by\r\na researcher at ThreatConnect in two tweets, based on suspicious characteristics of their registration. We suspect\r\nthat the AutoOpen format and the URL shorteners may be unique to a particular Candiru client.\r\nA Saudi Twitter user contacted us and reported that Saudi users active on Twitter were receiving messages with\r\nsuspicious short URLs, including links to the domain name bitly[.]tel.  Given this, we suspect that the URL\r\nshorteners may be linked to Saudi Arabia.\r\n5. Additional Corporate Details for Candiru\r\nYa’acov Weitzman (יעקב ויצמן (and Eran Shorer (ערן שורר (founded Candiru in 2014. Isaac Zack (יעקב זק(, also\r\nreportedly an early investor in NSO Group, became the largest shareholder of Candiru less than two months after\r\nits founding and took a seat on its board of directors. In January 2019, Tomer Israeli (תומר ישראלי (first appeared\r\nin corporate records as Candiru’s “director of finance,” and Eitan Achlow (איתן אחלאו (was named CEO.\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 11 of 14\n\nA number of independent investors appear to have funded Candiru’s operations over the years. As of Candiru’s\r\nnotice of allotment of shares filed in February 2021 with the Israeli Corporations Authority, Zack, Shorer, and\r\nWeitzman are still the largest shareholders. Three organizations are the next largest shareholders: Universal\r\nMotors Israel LTD (corporate registration 511809071), ESOP management and trust services (ניהול שירותי איסופ(\r\ncorporate registration 513699538, and Optas Industry Ltd. ESOP (corporate registration no. 513699538) is an\r\nIsraeli company that provides employee stock program administrative services to corporate clients. We do not\r\nknow whether ESOP holds its stock in trust for certain Candiru employees. Optas Industry Ltd. is a Malta-based\r\nprivate equity firm (registration number C91267, shareholder Leonard Joseph O’Brien, directors are O’Brien and\r\nMichael Ellul, incorporated 28 March 2019). It has been reported that for a decade O’Brien has served as head of\r\ninvestment and a board member of the Gulf Investment Fund, and that the sovereign Qatar Investment Authority\r\nhas a 12% stake in the Gulf Investment Fund (through a subsidiary, Qatar Holding). Universal Motors Israel\r\n(company registration no. 511809071) as an investor (including a seat on Candiru’s board) is curious considering\r\ntheir primary business is the distribution of new and used automobiles.\r\nBesides Amit Ron (עמית רון(, the Universal Motors Israel representative, Candiru’s board as of December 2020\r\nincludes Isaac Zack, Ya’acov Weitzman, and Eran Shorer.\r\nIn addition to the involvement of Zack, Candiru shares other points of commonality with NSO Group, including\r\nrepresentation by the same law firm and utilization of the same employee equity and trust administration services\r\ncompany.\r\n6. Conclusion\r\nCandiru’s apparent widespread presence, and the use of its surveillance technology against global civil society, is a\r\npotent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse.\r\nThis case demonstrates, yet again, that in the absence of any international safeguards or strong government export\r\ncontrols, spyware vendors will sell to government clients who will routinely abuse their services. Many\r\ngovernments that are eager to acquire sophisticated surveillance technologies lack robust safeguards over their\r\ndomestic and foreign security agencies. Many are characterized by poor human rights track records. It is not\r\nsurprising that, in the absence of strong legal restraints, these types of government clients will misuse spyware\r\nservices to track journalists, political opposition, human rights defenders, and other members of global civil\r\nsociety. \r\nCivil Society in the Crosshairs…Again\r\nThe apparent targeting of an individual because of their political beliefs and activities that are neither terrorist or\r\ncriminal in nature is a troubling example of this dangerous situation. Microsoft’s independent analysis is also\r\ndisconcerting, discovering at least 100 victims of Candiru’s malware operations that include “politicians, human\r\nrights activists, journalists, academics, embassy workers and political dissidents.” \r\nEqually disturbing in this regard is Candiru’s registration of domains impersonating human rights NGOs\r\n(Amnesty International), legitimate social movements (Black Lives Matter), international health organizations\r\n(WHO), women’s rights themes, and news organizations. Although we lack context around the specific use cases\r\nconnected to these domains, their mere presence as part of Candiru’s infrastructure—in light of widespread harms\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 12 of 14\n\nagainst civil society associated with the global spyware industry—is highly concerning and an area that merits\r\nfurther investigation. \r\nRectifying Harms around the Commercial Spyware Market\r\nUltimately, tackling the malpractices of the spyware industry will require a robust, comprehensive approach that\r\ngoes beyond efforts focused on a single high-profile company or country. Unfortunately, Israel’s Ministry of\r\nDefense—from whom Israeli-based companies like Candiru must receive an export license before selling abroad\r\n—has so far proven itself unwilling to subject surveillance companies to the type of rigorous scrutiny that would\r\nbe required to prevent abuses of the sort we and other organizations have identified. The export licensing process\r\nin that country is almost entirely opaque, lacking even the most basic measures of public accountability or\r\ntransparency. It is our hope that reports such as this one will help spur policymakers and legislators in Israel and\r\nelsewhere to do more to prevent the mounting harms associated with an unregulated spyware marketplace.\r\nIt is worth noting the growing risks that spyware vendors and their ownership groups themselves face as a result\r\nof their own reckless sales. Mercenary spyware vendors like Candiru market their services to their government\r\nclients as “untraceable” tools that evade detection and thus prevent their clients’ operations from being exposed.\r\nHowever, our research shows once again how specious these claims are. Although sometimes challenging, it is\r\npossible for researchers to detect and uncover targeted espionage using a variety of networking monitoring and\r\nother investigative techniques, as we have demonstrated in this report (and others like it). Even the most well-resourced surveillance companies make operational mistakes and leave digital traces, making their marketing\r\nclaims about being stealthy and undetectable highly questionable. To the extent that their products are implicated\r\nin significant harms or cases of unlawful targeting, the negative exposure that comes from public interest research\r\nmay create significant liabilities for ownership, shareholders, and others associated with these spyware companies.\r\nFinally, this case shows the value of a community-wide approach to investigations into targeted espionage. In\r\norder to remedy the harms generated by this industry for innocent members of global civil society, cooperation\r\namong academic researchers, network defenders, threat intelligence teams, and technology platforms is critical.\r\nOur research drew upon multiple data sources curated by other groups and entities with whom we cooperated, and\r\nultimately helped identify software vulnerabilities in a widely used product that were reported to and then patched\r\nby its vendor.\r\nAcknowledgements\r\nThanks to Microsoft and Microsoft Threat Intelligence Center (MSTIC) for their collaboration, and for working to\r\nquickly address the security issues identified through their research.\r\nWe are especially grateful to the targets that make the choice to work with us to help identify and expose the\r\nentities involved in targeting them. Without their participation this report would not have been possible.\r\nThanks to Team Cymru for providing access to their Pure Signal Recon product. Their tool’s ability to show\r\nInternet traffic telemetry from the past three months provided the breakthrough we needed to identify the initial\r\nvictim from Candiru’s infrastructure\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 13 of 14\n\nFunding for this project was provided by a generous grant from the John D. and Catherine T. MacArthur\r\nFoundation, the Ford Foundation, Oak Foundation, Sigrid Rausing Trust, and Open Societies Foundation.\r\nThanks to Miles Kenyon, Mari Zhou, and Adam Senft for communications, graphics, and organizational support.\r\nSource: https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nhttps://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/"
	],
	"report_names": [
		"hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus"
	],
	"threat_actors": [
		{
			"id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d",
			"created_at": "2023-01-06T13:46:38.931567Z",
			"updated_at": "2026-04-10T02:00:03.149736Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "MISPGALAXY:SandCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "fea75bf4-c510-4146-bbac-0802351f4eb0",
			"created_at": "2023-01-06T13:46:38.714847Z",
			"updated_at": "2026-04-10T02:00:03.076837Z",
			"deleted_at": null,
			"main_name": "Unit 8200",
			"aliases": [
				"Duqu Group"
			],
			"source_name": "MISPGALAXY:Unit 8200",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d",
			"created_at": "2022-10-25T16:07:24.149987Z",
			"updated_at": "2026-04-10T02:00:04.882099Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "ETDA:SandCat",
			"tools": [
				"CHAINSHOT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434192,
	"ts_updated_at": 1775792000,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/052c37c25ab2d0f6afba0f3b1881b10053e09ba2.pdf",
		"text": "https://archive.orkl.eu/052c37c25ab2d0f6afba0f3b1881b10053e09ba2.txt",
		"img": "https://archive.orkl.eu/052c37c25ab2d0f6afba0f3b1881b10053e09ba2.jpg"
	}
}