Pulse Detail — Threat Intelligence

PULSE NAME

Tracking Candirus DevilsTongue Spyware in Multiple Countries.

WHITE PetrP.73 2025-08-19 Modified: 2025-09-18

115

IOCs

HIGH VOLUME

Insikt Group reported discovery of new infrastructure associated with eight Candiru-linked clusters, specifically infrastructure used to deploy and control the DevilsTongue spyware as well as higher-tier operator infrastructure. The finding indicates active expansion or maintenance of a multi-cluster operational footprint that separates initial delivery/deployment mechanisms from command-and-control and operator management layers.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1203 T1583.001 T1583.003 T1583.004 T1566.002

Indicators of Compromise (1 / 115 total)

All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
FileHash-MD5	e33cfc9e285729c09e77df9e426587ab	MD5 of 255869de85e2a171993fc5eb8a556d873a1b8966e040f6f55926f2fa2d595cc8	2025-08-19

References (1)

↗ https://assets.recordedfuture.com/content/dam/insikt-report-pdfs/2025/cta-2025-0805.pdf