Advanced DevilsTongue Windows spyware monitors users around the world.

The emergence of DevilsTongue signifies a notable advancement in mercenary spyware capabilities, employing sophisticated Windows-based techniques to infiltrate high-value targets globally. First detected in campaigns dating back to 2019, this modular malware aggressively exploits zero-day browser vulnerabilities and weaponised documents to gain initial access. Once deployed, it establishes a covert presence, exfiltrating sensitive data from both corporate and personal environments. Recorded Future researchers have identified new victim-facing and operator-tier infrastructure across multiple countries, highlighting the global scale of operations and the varied administrative practices among different clusters. DevilsTongue’s attack vectors encompass spearphishing with malicious links, strategic watering hole compromises, and booby-trapped Office documents.

Google’s Threat Analysis Group observed exploits targeting Chrome and Internet Explorer in 2021, specifically CVE-2021-21166 and CVE-2021-33742, which delivered DevilsTongue payloads via single-use URLs and embedded ActiveX objects. Following initial compromise, the malware utilises a signed driver (physmem.sys) to achieve kernel-level memory access, facilitating advanced in-memory payload execution without writing to disk. Recorded Future analysts noted that these techniques enable DevilsTongue to evade traditional signature-based detection, allowing it to maintain a low profile on victim devices. The global impact of DevilsTongue has been significant, with government clients across Europe, the Middle East, and Asia deploying the spyware against politicians, journalists, and dissidents. Citizen Lab and Microsoft reported over 100 victims across Palestine, Türkiye, and Spain, among others.