{
	"id": "ce1b52a0-aa05-439d-aa8c-8743baa4438b",
	"created_at": "2026-04-06T00:15:59.671256Z",
	"updated_at": "2026-04-10T13:12:57.74176Z",
	"deleted_at": null,
	"sha1_hash": "4584957badde481791f00c0057304980dda6b7b8",
	"title": "The Return of Candiru: Zero-days in the Middle East",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1357838,
	"plain_text": "The Return of Candiru: Zero-days in the Middle East\r\nBy Threat Research TeamThreat Research Team\r\nArchived: 2026-04-02 12:03:56 UTC\r\nWe recently discovered a zero-day vulnerability in Google Chrome ( CVE-2022-2294 ) when it was exploited in\r\nthe wild in an attempt to attack Avast users in the Middle East. Specifically, a large portion of the attacks took\r\nplace in Lebanon, where journalists were among the targeted parties.\r\nThe vulnerability was a memory corruption in WebRTC that was abused to achieve shellcode execution in\r\nChrome’s renderer process. We reported this vulnerability to Google, who patched it on July 4, 2022.\r\nBased on the malware and TTPs used to carry out the attack, we can confidently attribute it to a secretive spyware\r\nvendor of many names, most commonly known as Candiru. (A name the threat actors chose themselves, inspired\r\nby a horrifying parasitic fish of the same name.) \r\nAfter Candiru was exposed by Microsoft and CitizenLab in July 2021, it laid low for months, most likely taking\r\nits time to update its malware to evade existing detection. We’ve seen it return with an updated toolset in March\r\n2022, targeting Avast users located in Lebanon, Turkey, Yemen, and Palestine via watering hole attacks using\r\nzero-day exploits for Google Chrome. We believe the attacks were highly targeted.\r\nExploit Delivery and Protection\r\nThere were multiple attack campaigns, each delivering the exploit to the victims in its own way. \r\nIn Lebanon, the attackers seem to have compromised a website used by employees of a news agency. We can’t say\r\nfor sure what the attackers might have been after, however often the reason why attackers go after journalists is to\r\nspy on them and the stories they’re working on directly, or to get to their sources and gather compromising\r\ninformation and sensitive data they shared with the press.\r\nInterestingly, the compromised website contained artifacts of persistent XSS attacks, with there being pages that\r\ncontained calls to the Javascript function alert along with keywords like test . We suppose that this is how\r\nthe attackers tested the XSS vulnerability, before ultimately exploiting it for real by injecting a piece of code that\r\nloads malicious Javascript from an attacker-controlled domain. This injected code was then responsible for routing\r\nthe intended victims (and only the intended victims) to the exploit server, through several other attacker-controlled\r\ndomains.\r\nThe malicious code injected into the compromised website, loading further Javascript from stylishblock[.]com\r\nOnce the victim gets to the exploit server, Candiru gathers more information. A profile of the victim’s browser,\r\nconsisting of about 50 data points, is collected and sent to the attackers. The collected information includes the\r\nhttps://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\r\nPage 1 of 4\n\nvictim’s language, timezone, screen information, device type, browser plugins, referrer, device memory, cookie\r\nfunctionality, and more. We suppose this was done to further protect the exploit and make sure that it only gets\r\ndelivered to the targeted victims. If the collected data satisfies the exploit server, it uses RSA-2048 to exchange an\r\nencryption key with the victim. This encryption key is used with AES-256-CBC to establish an encrypted channel\r\nthrough which the zero-day exploits get delivered to the victim. This encrypted channel is set up on top of TLS,\r\neffectively hiding the exploits even from those who would be decrypting the TLS session in order to capture\r\nplaintext HTTP traffic.\r\nExploits and Vulnerabilities\r\nWe managed to capture a zero-day exploit that abused a heap buffer overflow in WebRTC to achieve shellcode\r\nexecution inside a renderer process. This zero-day was chained with a sandbox escape exploit, which was\r\nunfortunately further protected and we were not able to recover it. We extracted a PoC from the renderer exploit\r\nand sent it to Google’s security team. They fixed the vulnerability, assigning it CVE-2022-2294 and releasing a\r\npatch in Chrome version 103.0.5060.114 (Stable channel). \r\nWhile the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much\r\nwider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based\r\nbrowsers (like Microsoft Edge) but also different browsers like Apple’s Safari. We do not know if Candiru\r\ndeveloped exploits other than the one targeting Chrome on Windows, but it’s possible that they did. Our Avast\r\nSecure Browser was patched on July 5. Microsoft adopted the Chromium patch on July 6, while Apple released a\r\npatch for Safari on July 20. We encourage all other WebRTC integrators to patch as soon as possible.\r\nAt the end of the exploit chain, the malicious payload (called DevilsTongue, a full-blown spyware) attempts to get\r\ninto the kernel using another zero-day exploit. This time, it is targeting a legitimate signed kernel driver in a\r\nBYOVD (Bring Your Own Vulnerable Driver) fashion. Note that for the driver to be exploited, it has to be first\r\ndropped to the filesystem (Candiru used the path C:\\Windows\\System32\\drivers\\HW.sys ) and loaded, which\r\nrepresents a good detection opportunity.\r\nThe driver is exploited through IOCTL requests. In particular, there are two vulnerable IOCTLs: 0x9C40648C can\r\nbe abused for reading physical memory and 0x9C40A4CC for writing physical memory. We reported this to the\r\ndriver’s developer, who acknowledged the vulnerability and claimed to be working on a patch. Unfortunately, the\r\npatch will not stop the attackers, since they can just continue to exploit the older, unpatched driver. We are also\r\ndiscussing a possible revocation, but that would not be a silver bullet either, because Windows doesn’t always\r\ncheck the driver’s revocation status. Driver blocklisting seems to be the best solution for now.\r\nOne of the vulnerable ioctl handlers\r\nhttps://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\r\nPage 2 of 4\n\nWhile there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other\r\ngroups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups,\r\nsometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that\r\nthere is another group exploiting this same zero-day.\r\nBecause Google was fast to patch the vulnerability on July 4, Chrome users simply need to click the button when\r\nthe browser prompts them to “restart to finish applying the update.” The same procedure should be followed by\r\nusers of most other Chromium-based browsers, including Avast Secure Browser. Safari users should update to\r\nversion 15.6 . \r\nIndicators of Compromise (IoCs)\r\nInfrastructure\r\nFilesystem\r\nhttps://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\r\nPage 3 of 4\n\nAll .dll files might also appear with an additional .inf extension (e.g.\r\nC:\\Windows\\System32\\migration\\netiopmig.dll.inf)\r\nHijacked CLSIDs (persistence mechanism)\r\nIoCs are also available in our IoC repository.\r\nA group of elite researchers who like to stay under the radar.\r\nSource: https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\r\nhttps://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/"
	],
	"report_names": [
		"the-return-of-candiru-zero-days-in-the-middle-east"
	],
	"threat_actors": [
		{
			"id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12",
			"created_at": "2023-01-06T13:46:39.396409Z",
			"updated_at": "2026-04-10T02:00:03.312816Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"CHROMIUM",
				"ControlX",
				"TAG-22",
				"BRONZE UNIVERSITY",
				"AQUATIC PANDA",
				"RedHotel",
				"Charcoal Typhoon",
				"Red Scylla",
				"Red Dev 10",
				"BountyGlad"
			],
			"source_name": "MISPGALAXY:Earth Lusca",
			"tools": [
				"RouterGod",
				"SprySOCKS",
				"ShadowPad",
				"POISONPLUG",
				"Barlaiy",
				"Spyder",
				"FunnySwitch"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "38f8da87-b4ba-474b-83e6-5b04d8fb384b",
			"created_at": "2024-02-02T02:00:04.032871Z",
			"updated_at": "2026-04-10T02:00:03.532955Z",
			"deleted_at": null,
			"main_name": "Caramel Tsunami",
			"aliases": [
				"SOURGUM",
				"Candiru"
			],
			"source_name": "MISPGALAXY:Caramel Tsunami",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7",
			"created_at": "2025-08-07T02:03:24.688416Z",
			"updated_at": "2026-04-10T02:00:03.734754Z",
			"deleted_at": null,
			"main_name": "BRONZE UNIVERSITY",
			"aliases": [
				"Aquatic Panda",
				"Aquatic Panda ",
				"CHROMIUM",
				"CHROMIUM ",
				"Charcoal Typhoon",
				"Charcoal Typhoon ",
				"Earth Lusca",
				"Earth Lusca ",
				"FISHMONGER ",
				"Red Dev 10",
				"Red Dev 10 ",
				"Red Scylla",
				"Red Scylla ",
				"RedHotel",
				"RedHotel ",
				"Tag-22",
				"Tag-22 "
			],
			"source_name": "Secureworks:BRONZE UNIVERSITY",
			"tools": [
				"Cobalt Strike",
				"Fishmaster",
				"FunnySwitch",
				"Spyder",
				"njRAT"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "6abcc917-035c-4e9b-a53f-eaee636749c3",
			"created_at": "2022-10-25T16:07:23.565337Z",
			"updated_at": "2026-04-10T02:00:04.668393Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Bronze University",
				"Charcoal Typhoon",
				"Chromium",
				"G1006",
				"Red Dev 10",
				"Red Scylla"
			],
			"source_name": "ETDA:Earth Lusca",
			"tools": [
				"Agentemis",
				"AntSword",
				"BIOPASS",
				"BIOPASS RAT",
				"BadPotato",
				"Behinder",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"Doraemon",
				"FRP",
				"Fast Reverse Proxy",
				"FunnySwitch",
				"HUC Port Banner Scanner",
				"KTLVdoor",
				"Mimikatz",
				"NBTscan",
				"POISONPLUG.SHADOW",
				"PipeMon",
				"RbDoor",
				"RibDoor",
				"RouterGod",
				"SAMRID",
				"ShadowPad Winnti",
				"SprySOCKS",
				"WinRAR",
				"Winnti",
				"XShellGhost",
				"cobeacon",
				"fscan",
				"lcx",
				"nbtscan"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d53593c3-2819-4af3-bf16-0c39edc64920",
			"created_at": "2022-10-27T08:27:13.212301Z",
			"updated_at": "2026-04-10T02:00:05.272802Z",
			"deleted_at": null,
			"main_name": "Earth Lusca",
			"aliases": [
				"Earth Lusca",
				"TAG-22",
				"Charcoal Typhoon",
				"CHROMIUM",
				"ControlX"
			],
			"source_name": "MITRE:Earth Lusca",
			"tools": [
				"Mimikatz",
				"PowerSploit",
				"Tasklist",
				"certutil",
				"Cobalt Strike",
				"Winnti for Linux",
				"Nltest",
				"NBTscan",
				"ShadowPad"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434559,
	"ts_updated_at": 1775826777,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4584957badde481791f00c0057304980dda6b7b8.pdf",
		"text": "https://archive.orkl.eu/4584957badde481791f00c0057304980dda6b7b8.txt",
		"img": "https://archive.orkl.eu/4584957badde481791f00c0057304980dda6b7b8.jpg"
	}
}