Security News > 2021 > July > Microsoft: Israeli firm used Windows zero-days to deploy spyware

Microsoft and Citizen Lab have linked Israeli spyware company Candiru to new Windows spyware dubbed DevilsTongue deployed using now patched Windows zero-day vulnerabilities.
The investigation into Candiru's attacks started after Citizen Labs shared malware samples found on a victim's systems and led to the discovery of CVE-2021-31979 and CVE-2021-33771, two zero-day vulnerabilities fixed by Microsoft during this month's Patch Tuesday.
The attackers delivered the DevilsTongue malware to victims' computers using an exploit chain that abused vulnerabilities in several popular browsers and the Windows operating system.
DevilsTongue allows its operators to collect and steal victims' files, decrypt and steal Signal messages on Windows devices, and steal cookies and saved passwords from LSASS and Chrome, Internet Explorer, Firefox, Safari, and Opera web browsers.
"DevilsTongue can also send messages as the victim on some of these websites, appearing to any recipient that the victim had sent these messages," as Microsoft researchers further found out.
"The protections we issued this week will prevent Sourgum's tools from working on computers that are already infected and prevent new infections on updated computers and those running Microsoft Defender Antivirus as well as those using Microsoft Defender for Endpoint."
News URL
Related news
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)
- Microsoft to remove the Location History feature in Windows (source)
- Microsoft testing fix for Windows 11 bug breaking SSH connections (source)
- Microsoft fixes Power Pages zero-day bug exploited in attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-07-14 | CVE-2021-33771 | Unspecified vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |
2021-07-14 | CVE-2021-31979 | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products Windows Kernel Elevation of Privilege Vulnerability | 0.0 |