Case Study: The Citizen Lab Exposes Candiru’s Spyware Infrastructure with Censys

How Censys Helped Citizen Lab Expose Mercenary Spyware Vendor - Candiru

The Citizen Lab, a University of Toronto research institute focused on human rights and information technology, needed a way to investigate the infrastructure behind Candiru, a mercenary spyware vendor whose malware is designed to be hard to trace. Using Censys, Citizen Lab set out to map Candiru’s command-and-control footprint across IPs, domains, and certificates in order to understand who was being targeted and how.

Censys provided Citizen Lab with its Universal Internet DataSet, certificate data, and search capabilities to pivot from a self-signed certificate to historical IPs and related infrastructure. With Censys, the team uncovered more than 750 impersonated websites, identified victim infrastructure, and passed indicators to Microsoft, which led to the discovery of two zero-day privilege escalation vulnerabilities, CVE-2021-31979 and CVE-2021-33771, and more than 100 targeted individuals.

The Citizen Lab

Bill Marczak

Research Fellow