Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Bill Marczak Profile picture
@billmarczak
Jul 15, 2021 9 tweets 6 min read Read on X
Scrolly
NEW @citizenlab joint-report with @MsftSecIntel: "Hooking Candiru," in which we provide an interesting look into the global proliferation of spyware from Candiru: another big player that sells hacking tools to govts, including known surveillance abusers citizenlab.ca/2021/07/hookin…
Our analysis is based on a "patient zero", a Western European politically active individual. We extracted a copy of Candiru's spyware from their computer, after identifying that their computer was communicating with Candiru spyware servers. So how did we find our "patient zero"?
Well, first, @citizenlab found a 2017 OPSEC mistake by Candiru, where six of their supposedly "hidden" spyware servers accidentally returned a TLS certificate (seen here on @censysio) with "candirusecurity[.]com" (oops!!!) Image
We linked this "candirusecurity[.]com" domain to a spyware vendor "Candiru Ltd", using WHOIS info for a second domain name that was registered with a candirusecurity[.]com email *and also* a phone number belonging to Candiru (per a business directory) ImageImage
We later saw different weird self-signed TLS certs returned by these servers, and used @censysio and @RiskIQ to uncover 100s of similar certs on 100s of IPs (pointed to by 750+ domains) that we link to Candiru. Here are some @censysio queries we used so you can follow at home! ImageImage
We then leveraged @teamcymru telemetry for the Candiru servers that we detected, which together with our @citizenlab civil-society connections, led us to our "patient zero." We analyzed their computer, ID'd components that talked to Candiru servers, and extracted the spyware!
@teamcymru @citizenlab We shared the spyware with Microsoft's @MsftSecIntel, who (surprise surprise) found that Candiru's Windows spyware was being used to target 100+ people, including journalists, activists, and other members of civil society. microsoft.com/security/blog/…
Also, @MsftSecIntel landed a pretty substantial blow against Candiru by detecting and patching *TWO* zero-day Windows privilege escalation exploits they were using (CVE-2021-31979 and CVE-2021-33771). Microsoft's patch went live during this week's Patch Tuesday. Image
Of course, like any spyware company worth its salt, Candiru also offers spyware that can infect mobile devices (according to a Candiru proposal published by @TheMarker), though their mobile spyware has not (yet) been captured and publicly analyzed. Image

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Bill Marczak

Bill Marczak Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @billmarczak

Bill Marczak Profile picture
Jun 13
ICYMI, yesterday we released a report providing a first look at how we found traces of spyware on two journalists' iPhones, traces which we can attribute with high confidence to Paragon's Graphite spyware: citizenlab.ca/2025/06/first-…
Basically, one of the phones sent multiple requests to IP 46.183.184[.]91, an IP that we linked with high confidence to Paragon’s Graphite spyware infrastructure. We made this link because 46.183.184[.]91 matched our Fingerprint P1 (seen here in Censys search syntax) Image
And there’s a clear chain of shared behavior leading from Fingerprint P1 back to other IPs that previously returned pages entitled "Paragon" and a TLS certificate with the terms "Graphite" and "installerserver". Image
Read 7 tweets
Bill Marczak Profile picture
Oct 26, 2023
NEW: Kaspersky releases full details on how they captured the “Triangulation” (suspected US Government) exploits and iPhone spyware targeting their employees. securelist.com/operation-tria…
The way Kaspersky wrote this, it's an interesting case study of defenders working out how to capture a zero-click exploit. I especially like that Kaspersky said what they tried that *didn’t work*, in addition to what did ultimately work. Let’s dive in with a thread!
If you’re a researcher who’s never captured an exploit chain from a threat actor “on the wire” recently, then you might not have run up against several “annoying roadblocks” that face a defender who sets out to complete this task.
Read 23 tweets
Bill Marczak Profile picture
Apr 11, 2023
One neat technical detail we found while analyzing QuaDream's spyware () was the mechanism by which it subverts iCloud's two-factor authentication, presumably as part of a scheme to exfiltrate the user's data directly from iCloud.
iCloud's two-factor authentication appears to use a TOTP (time-based one-time-password) scheme, in which two-factor authentication codes valid for any time are entirely determined by applying a function to (1) the time and, (2) some private information present on the phone.
Rather than stealing (2), the way the spyware appears to defeat this scheme is by injecting code into the phone's heavily obfuscated "adid" process (part of the phone's Anisette framework), and hooking the "gettimeofday" syscall to fool "adid" about the current date and time.
Read 4 tweets
Bill Marczak Profile picture
Apr 11, 2023
Check out our NEW @citizenlab report "Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers", in which we uncover traces of a new iOS 14 zero-click deployed against civil society from (at least) Jan through Nov 2021 citizenlab.ca/2023/04/spywar…
The zero-click exploit, which we call ENDOFDAYS, appears to have made use of invisible malformed "Meeting" invitations processed by the iPhone's calendar app. ENDOFDAYS looks to have been deployed as a zero-day against iOS versions 14.4 and 14.4.2, and maybe other versions.
So, who are QuaDream's customers? Based on our Internet scanning and infrastructure analysis, we believe that QuaDream operators are located in AE, BG, CZ, HU, GH, IL, MX, RO, SG, and UZ (unclear if IL is customer or just QuaDream themselves) and potentially other countries too. Image
Read 16 tweets
Bill Marczak Profile picture
Sep 29, 2022
NEW REPORT today from @Reuters @JoelSchectman providing more detail about fatal flaws in the CIA's defunct communications network. Iran and China compromised the network in 2011, and killed dozens of CIA assets reuters.com/investigates/s…
You probably first read reporting about the Iranian and Chinese compromise of the CIA's covert communications network in @JennaMC_Laugh and @zachsdorfman's excellent 2018 Yahoo News story: news.yahoo.com/cias-communica…
The CIA network reportedly consisted of benign looking websites with a hidden communications functionality, used by assets around the world to communicate back and forth with their agency handlers.
Read 14 tweets
Bill Marczak Profile picture
Jan 13, 2022
New @citizenlab report, #ProjectTorogoz, documenting the use of NSO's Pegasus spyware in El Salvador, in collab w/ @AccessNow, w/ assistance from @FrontLineHRD @MohdMaskati, @socialtic, and @fundacionacceso, and w/ peer review from @AmnestyTech citizenlab.ca/2022/01/projec…
We confirmed, through forensic analysis, 35 cases of journalists and civil society members whose phones were successfully hacked with NSO Group's Pegasus spyware from July 2020 through November 2021.
The targets included journalists at @_elfaro_, @GatoEncerradoSV, @prensagrafica, @Disruptiva2, @ElMundoSV, @EDHNoticias, and 2 independent journalists. Also NGOs @fundaciondtj, @cristosal, and another (anonymous) NGO.
Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(