Home/Threat Actor/Candiru / Sourgum
Threat Actor

Candiru / Sourgum

candiru_sourgum · israel_commercial_cyber_mercenary · active since 2014

Candiru / Sourgum (canonical company naming "Candiru Ltd" founded 2014 by Eran Shorer + Yaakov Weizman in Tel Aviv Israel - "Saito Tech Ltd" current operating name - "Integrity Labs Ltd" post-2025 Integrity Partners US investment firm $30M acquisition restructuring; Microsoft canonical naming "Sourgum".

primary Windows spyware product "DevilsTongue" per Microsoft naming) is an Israeli private offensive cyber operations contractor / commercial spyware vendor, operationally Israel's second- largest cyber-espionage firm after NSO Group per industry consensus, with signature investment ecosystem overlap with NSO Group (chairman Isaac Zack is an early NSO Group investor.

Founders Group angel syndicate operated by NSO co-founders Omri Lavie + Shalev Hulio invested in Candiru) and workforce primarily drawn from Israeli Unit 8200 signals intelligence alumni.

signature operational tradecraft is DevilsTongue Windows spyware (cluster- defining complex modular multi-threaded malware written in C and C++ with both user-mode and kernel-mode capabilities + novel detection evasion mechanisms + DLLs encrypted on disk and only decrypted in memory + configuration/tasking data separate from malware) plus multi-platform capability (iOS + Android + macOS + Windows + cloud accounts)

signature Windows kernel 0day exploitation chain CVE-2021-31979 + CVE-2021-33771 (Windows NTOS integer overflow + privilege escalation patched Microsoft July 2021 Patch Tuesday) chained with Chrome + Internet Explorer + WebKit/Safari browser 0days documented by Google TAG.

signature 750+ websites infrastructure documented by Citizen Lab Internet-scan mapping with domains masquerading as Amnesty International + Black Lives Matter + Russian postal service + media companies + civil-society organizations.

WhatsApp single- use URL phishing delivery vector + drive-by exploits + network data tampering / MitM + malicious documents + physical intrusion per leaked Candiru proposal.

Microsoft MSTIC + Citizen Lab canonical joint disclosure July 15, 2021 documented 100+ victims in Palestine + Israel + Iran + Lebanon + Yemen + Spain (Catalonia) + UK + Turkey + Armenia + Singapore including politicians + human rights activists + journalists + academics + embassy workers + political dissidents (despite stated restricted- territory list of US + Russia + China + Israel + Iran); first publicly-documented deployment via Kaspersky 2019 Uzbekistan State Security Service discovery (Uzbekistan SSS used Kaspersky antivirus to test Candiru spyware detection on itt.uz domain, enabling Kaspersky to identify Saudi Arabia and UAE Candiru clients)

signature corporate name change obfuscation tradecraft (Candiru - Grindavik - Tabatha - Saito Tech - Integrity Labs) operationally consistent with cyber-mercenary industry sensitivity to public exposure.

€16M leaked Candiru proposal pricing model with unlimited infection attempts + 10 concurrent device monitoring + Signal Private Messenger decryption add-on capability.

US Department of Commerce Entity List sanctions November 2021 + 2025 Integrity Partners acquisition + Integrity Labs Ltd corporate restructuring (operationally a sanctions-evasion- style corporate pivot)

per Recorded Future Insikt Group August 2025 infrastructure analysis: 8 distinct operational clusters identified with 5 currently active (Hungary + Saudi Arabia confirmed active + Indonesia active until November 2024)

fills the 2nd cyber-mercenary / private-offensive-actor cell in the curated corpus following nso_group_pegasus (1st cyber-mercenary cluster) , operationally distinct from NSO Group through Windows- focused DevilsTongue spyware specialization.

israel_commercial_cyber_mercenary confidence: high 18 aliases
Sigma rules200 YARA rules1 Live IOCs0 CVEs exploited2

Profile

Candiru / Sourgum (canonical company naming "Candiru Ltd"
  • "Saito Tech Ltd" current operating name.
  • "Integrity Labs Ltd" post-2025 acquisition; Microsoft canonical naming "Sourgum"; primary Windows spyware product "DevilsTongue" per Microsoft naming) is an Israeli private offensive cyber operations contractor / commercial spyware vendor headquartered in Tel Aviv, founded 2014 by Eran Shorer + Yaakov Weizman. Operationally Israel's second-largest cyber-espionage firm after NSO Group per industry consensus. Signature investment ecosystem overlap with NSO Group: chairman Isaac Zack is an early NSO Group investor; Founders Group angel syndicate operated by NSO co-founders Omri Lavie and Shalev Hulio invested in Candiru. Workforce primarily drawn from Israeli Unit 8200 signals intelligence alumni. Operational phases: (1) CORPORATE EMERGENCE (2014). Founded by Shorer + Weizman. NSO ecosystem investor overlap established. (2) UZBEKISTAN STATE SECURITY SERVICE DISCOVERY (2019). Kaspersky first publicly-documented Candiru deployment via Uzbekistan SSS Kaspersky antivirus detection testing on itt.uz domain. (3) MICROSOFT MSTIC + CITIZEN LAB CANONICAL JOINT DISCLOSURE (July 15, 2021). DevilsTongue Windows spyware documented + CVE-2021-31979 + CVE-2021-33771 patched + 100+ victims documented in Palestine + Israel + Iran + Lebanon + Yemen + Spain + UK + Turkey + Armenia + Singapore. (4) US ENTITY LIST SANCTIONS (November 2021). Microsoft- attributed cluster sanctioned by US Department of Commerce alongside NSO Group. (5) INTEGRITY PARTNERS ACQUISITION (2025). $30M sale of Candiru assets and employees to new Integrity Labs Ltd entity not subject to Entity List sanctions, operationally a sanctions-evasion-style corporate restructuring. (6) RECORDED FUTURE 8-CLUSTER ANALYSIS (August 2025). Continued operational tempo with 5 of 8 clusters assessed currently active.
Signature operational tradecraft
  • DevilsTongue Windows spyware (cluster-defining): complex modular multi-threaded malware written in C and C++ with wide range of capabilities. Both user-mode and kernel-mode capabilities. Several novel detection evasion mechanisms. DLLs encrypted on disk and only decrypted in memory. Configuration and tasking data separate from malware to complicate analysis.
  • Multi-platform spyware capability: iOS + Android + macOS + Windows + cloud accounts.
  • Signature Windows kernel 0day exploitation chain: CVE-2021-31979 (Windows NTOS integer overflow) + CVE-2021-33771 (Windows NTOS privilege escalation) chained with browser exploits to escape sandbox + gain kernel code execution.
  • Browser 0day exploitation chains: Chrome + Internet Explorer + WebKit/Safari 0days documented by Google TAG.
  • 750+ websites infrastructure (signature): Citizen Lab Internet-scan mapping documented over 750 websites linked to Candiru spyware infrastructure including domains masquerading as Amnesty International + Black Lives Matter + Russian postal service + media companies + advocacy organizations.
  • WhatsApp single-use URL phishing delivery vector: signature delivery mechanism for browser exploit chains.
  • Multi-vector attack delivery: drive-by exploits + network data tampering / MitM + malicious documents + physical intrusion + WhatsApp single-use URLs per leaked Candiru proposal.
  • Comprehensive spyware data harvesting: Facebook + Gmail + Skype + Telegram + WhatsApp + Viber + SMS + browser cookies + passwords (LSASS + Chrome + IE + Firefox + Safari + Opera) + webcam + microphone + screen pictures + files. Signal Private Messenger decryption capability sold as add-on.
  • Corporate name change obfuscation tradecraft: signature operationally-distinctive pattern (Candiru.
  • Grindavik.
  • Tabatha.
  • Saito Tech.
  • Integrity Labs) operationally consistent with cyber-mercenary industry sensitivity to public exposure.
  • 8 operational clusters per Recorded Future 2025 analysis: signature infrastructure design variation across clusters with some using intermediary infrastructure layers or Tor network.
  • €16M leaked proposal pricing: signature pricing model, unlimited infection attempts with 10 concurrent device monitoring. The cluster fills the 2nd cyber-mercenary / private- offensive-actor cell in this curated corpus following nso_group_pegasus (curated separately as 1st cyber- mercenary cluster). Operationally distinct from NSO Group through Windows-focused DevilsTongue spyware specialization (NSO is mobile-zero-click focused via Pegasus, though Candiru also has mobile + macOS + cloud variants). Operationally adjacent in this v0.1.112 cyber-mercenary sweep slice to intellexa_predator + paragon_solutions_ graphite curated this same slice.

Aliases

18
candirucandiru ltdcandiru_ltdsourgummicrosoft sourgumdevilstonguedevils tonguedevil's tonguesaito_tech_ltdsaito techgrindaviktavetatabatha ltdsokotointegrity_labs_ltdcandiru_sourgumcandiru israeli spywarecandiru mercenary spyware firm

Notable Campaigns

9
2025Integrity Partners US Investment Firm Acquisition (2025)
2025Recorded Future Insikt Group Eight Operational Clusters Analysis (August 2025)
2022-2026Continued Operations Through 2022-2026
2021Microsoft MSTIC + Citizen Lab Canonical Joint Disclosure (July 15, 2021)
2021Leaked Candiru Project Proposal Disclosure
2021US Department of Commerce Entity List Sanctions (November 2021)
2019Kaspersky Uzbekistan State Security Service Discovery (2019)
2014-2025Corporate Name Change Obfuscation Tradecraft (Signature)
2014Candiru Corporate Emergence (2014)

Attribution & Reporting

Attributed by
Citizen Lab (Bill Marczak + John Scott-Railton + Kristin Berdan + Bahr Abdul Razzak + Ron Deibert, canonical Hooking Candiru July 2021 disclosure)Microsoft Threat Intelligence Center (MSTIC, canonical Sourgum naming July 15 2021)Microsoft Security Response Center (MSRC)Microsoft Digital Security Unit (Cristin Goodwin General Manager)Kaspersky Lab (original 2019 Uzbekistan State Security Service discovery)Google Threat Analysis Group (TAG, Chrome/IE/WebKit 0day disclosures linked to Candiru)Recorded Future Insikt Group (canonical 2025 infrastructure analysis 8 operational clusters)Mandiant / Google Threat Intelligence GroupUS Department of Commerce (Entity List November 2021)Vice / Motherboard (2019 Uzbekistan disclosure)TheMarker (leaked project proposal disclosure)Symantec / Broadcom Threat Hunter TeamSOPHOS X-OpsESETTrend Micro
Key reporting
reportCitizen Lab Research Report No. 139 (Bill Marczak + John Scott-Railton + Kristin Berdan + Bahr Abdul Razzak + Ron Deibert): Hooking Candiru, Another Mercenary Spyware Vendor Comes into Focus (July 15, 2021), canonical Candiru disclosure
reportMicrosoft MSTIC + MSRC: Protecting Customers from a Private-Sector Offensive Actor Using 0-Day Exploits and DevilsTongue Malware (July 15, 2021), canonical Microsoft Sourgum disclosure
reportMicrosoft On the Issues (Cristin Goodwin General Manager Digital Security Unit): Fighting cyberweapons built by private businesses (July 15, 2021)
reportRecorded Future Insikt Group: Tracking Candiru's DevilsTongue Spyware (August 2025), canonical 8-cluster infrastructure analysis
reportVice / Motherboard (Joseph Cox + Lorenzo Franceschi-Bicchierai): Uzbekistan State Security Service Candiru Discovery (2019)
reportKaspersky Lab: Uzbekistan State Security Service Candiru Spyware Identification (2019)
reportGoogle Threat Analysis Group (TAG): Chrome + IE + WebKit/Safari 0days attributed to Candiru (July 14, 2021)
reportTheMarker: Leaked Candiru Customer Project Proposal Disclosure
reportUS Department of Commerce: Candiru Entity List Final Rule (November 2021)
reportICIJ (International Consortium of Investigative Journalists): Spyware industry coverage
reportMandiant / Google Threat Intelligence Group: Candiru adjacent tracking
reportSymantec / Broadcom Threat Hunter Team: Candiru operational profile
reportMITRE ATT&CK Software S0668, DevilsTongue
reportMalpedia Actor Profile: Sourgum + DevilsTongue malware family

Operational

State sponsor

Israeli private offensive cyber operations contractor / commercial spyware vendor headquartered in Tel Aviv, Israel (current operating name Saito Tech Ltd.

current ownership transferred post-2021 US Entity List sanctions via Integrity Partners US investment firm acquisition for up to $30 million, with assets and employees transferred to new Integrity Labs Ltd entity). Founded 2014 by Eran Shorer + Yaakov Weizman. Israeli cyber-mercenary corporate structure with deep Unit 8200 / Israeli Military Intelligence Directorate workforce per Citizen Lab + industry consensus: "Like many mercenary spyware corporations, the company reportedly recruits from the ranks of Unit 8200, the signals intelligence unit of the Israeli Defence Forces.

" Workforce growth documented: 12 employees in 2015
  • 70 in 2018 per public court filings of former senior employee lawsuit. Revenue documented: $10M in 2016, $20-30M by 2018 with $367M pending deals across 60 government clients. 2019 valuation: $90M per 10% stake sale from Eli Wartman to Universal Motors Israel. Operationally Israel's second-largest cyber-espionage firm after NSO Group per industry consensus. Operational capability + commercial business model attribution at high confidence per Microsoft MSTIC + Citizen Lab July 2021 joint canonical disclosures. Signature investment ecosystem overlap with NSO Group: Isaac Zack, early NSO Group investor, serves as Candiru's chairman with controlling interest alongside founders Shorer + Weizman. Reportedly received investment from Founders Group, an angel investment syndicate operated by NSO Group co-founders Omri Lavie + Shalev Hulio. Reported Qatari sovereign wealth fund investment via Optas Industry Ltd proxy. Documented government clients via Citizen Lab + Microsoft + Kaspersky + Recorded Future Insikt Group infrastructure analysis: Uzbekistan State Security Service (Kaspersky original 2019 discovery via Uzbekistan SSS testing Kaspersky antivirus detection of Candiru spyware on itt.uz domain), Saudi Arabia, UAE, Singapore, Qatar, Hungary, Indonesia (active until November 2024 per Recorded Future August 2025 disclosure), Azerbaijan, Spain. Per Recorded Future Insikt Group August 2025 analysis: 8 distinct operational clusters identified, with 5 assessed as currently active. Microsoft canonical naming via "Sourgum" private-sector offensive actor (PSOA) framework: per Microsoft MSTIC: "Private-sector offensive actors are private companies that manufacture and sell cyberweapons in hacking-as-a- service packages, often to government agencies around the world, to hack into their targets' computers, phones, network infrastructure, and other devices." Operational classification: cyber-mercenary / commercial spyware vendor, operationally distinct from nation-state- aligned clusters in this curated corpus through commercial business model, though operating with offensive cyber capability comparable to top-tier nation-state actors per Microsoft assessment: "SOURGUM developers are very professional, have extensive experience writing Windows malware, and have a good understanding of operational security." The cluster fills the 2nd cyber-mercenary / private- offensive-actor cell in this curated corpus (following nso_group_pegasus curated separately as the 1st). Operationally adjacent to other cyber-mercenary clusters in this corpus expansion phase (intellexa_predator + paragon_solutions_graphite curated this same slice as 3rd and 4th respectively).
Motivations
commercial_spyware_sales_to_government_clients, private_offensive_cyber_operations_for_government_clients, windows_zero_day_exploitation_and_spyware_implant_capability_provision, mobile_device_compromise_capability_iphones_androids, macos_device_compromise_capability, cloud_account_compromise_capability, government_intelligence_collection_via_commercial_capability, high_value_individual_targeting_journalists_activists_politicians_dissidents, civil_society_surveillance_per_documented_abuse_patterns
Sectors
politicianshuman_rights_activistsjournalistsacademicsembassy_workerspolitical_dissidentscivil_society_organizationslawyerscivil_society_targets_in_western_europecatalan_independence_movementamnesty_international_themed_targets
Regions
palestine_palestinian_authorityisraeliranlebanonyemenspain_cataloniaunited_kingdomturkeyarmeniasingaporeuzbekistansaudi_arabiaunited_arab_emiratesqatarhungaryindonesiaazerbaijan

Techniques Used

60
T1003T1003.001T1005T1010T1014T1016T1020T1027T1027.001T1027.002T1027.005T1029T1033T1036T1036.005T1039T1041T1053T1053.005T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1070T1070.001T1070.004T1071T1071.001T1074T1074.001T1078T1082T1083T1087T1090T1090.001T1090.002T1106T1113T1114T1114.001T1119T1123T1125T1129T1133T1140T1189T1190T1200T1203T1204T1204.001T1213T1218

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)58/60 · 96%
Analytics (MITRE CAR)25/60 · 41%
Runtime / container (Falco)7/60 · 11%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)13/60 · 21%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

0 mapped
Other tooling / TTPs (curation, not ATT&CK-mapped):
MALICIOUS DOCUMENTSMEDIA COMPANY THEMED DOMAINSSCREEN PICTURES CAPTURESIGNAL PRIVATE MESSENGER DECRYPTION ADD-ON

CVEs Exploited

2
CVECVE-2021-31979
CVECVE-2021-33771
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin