The notorious Duqu malware is using a zero-day flaw in Windows to deliver its payload, according to Hungarian security research laboratory CrySyS, which has identified a specially crafted Word file being used as the entry point for the infection.
The researchers believe that the infected file targets a previously undiscovered security hole in the Windows kernel to access systems and install Duqu.
Duqu was discovered in October and has generated headlines for its complexity and connection to the high-profile Stuxnet malware. Experts believe that the malware is designed for use in a targeted attack on industrial control systems.
Duqu has also generated controversy for its resemblance to Stuxnet, the sophisticated malware infection which has been connected to attacks on nuclear systems in Iran.
The report also brings to light the zero-day vulnerability in Windows one week before Microsoft's next scheduled monthly security update.
Sophos security adviser Chester Wisniewski said that, while the flaw is a zero-day vulnerability, there is little risk of attack on end-user systems.
"Given the targeted nature of these attacks and the fact that this malware is not a worm or virus, only the authors of the malware and the security researchers who have analysed it have the information required to exploit this bug," he said in a blog post.
"It is unlikely that most of us would be exposed to any risk from this flaw, assuming Microsoft is able to promptly provide a fix."