Government agencies have been targeted by a malware framework known as Netrepset since May 2016 in what could be part of a high-level cyber-espionage campaign.
That's according to researchers at IT security company Bitdefender, who had initially looked into the malware last year.
Its threat response team isolated several samples from the ‘internal malware zoo', while looking into a custom file-packing algorithm. A deeper look into its telemetry revealed that the malware was strictly affecting a limited pool of hosts belonging to a number of IP addresses marked as sensitive targets - mostly government agencies.
The malware can be paired with advanced spear phishing techniques in a bid to collect intelligence - and this is why Bitdefender presumes it is part of a high-level campaign.
Bitdefender said that the unusual build of the malware could have easily made it pass for a regular threat, like many of those that organisations block on a daily basis. However, it's more complex than many of those threats as it has a repertoire of methods which it uses to steal information, including keylogging, password and cookie theft.
It is built using a recovery toolkit provided by Nirsoft, which Bitdefender suggested was a legitimate, yet controversial tool.
"The controversy stems from the fact that the applications provided by Nirsoft are used to recover cached passwords or monitor network traffic via powerful command-line interfaces that can be instructed to run completely covertly," said Bitdefender.
"For a long time now, the antimalware industry has flagged the tools provided by Nirsoft as potential threats to security specifically because they are extremely easy to abuse, and oversimplify the creation of powerful malware," it added.
But the security company emphasised that even though Netrepset malware uses free tools and utilities to carry out jobs, the combination of the complexity of the attack, and the targets involved, suggest that it is "more than a commercial-grade tool".
For example, the criminals behind the malware have even included a ‘killswitch' job to clean up after themselves after exfiltration.
"This option is key in establishing that this is not an opportunistic attack, but rather a well-designed espionage campaign with multiple redundancies and, ultimately, a way to deter forensic processes that might recover evidence," the company said.
The group behind the malware has compromised approximately 500 computers and exfiltrated an unknown number of documents, login credentials or other pieces of intelligence since May 2016.
Bitdefender said that because of the nature of the attacks, attribution was impossible, unless it digs into the realm of speculation.
Computing's Big Data and IoT Summit 2017 and the Big Data and IoT Summit Awards are coming on 17 May 2017.
Find out what construction giant Amey, Lloyds Banking Group, Financial Times and other big names are doing in big data and the Internet of Things.
Attendance to the Summit is free to qualifying senior IT professionals and IT leaders, but places are strictly limited, so apply now.
AND on the same day, Computing is also proud to present the Big Data and IoT Summit Awards, too. See the finalists - and secure a table for your team at the Awards - now:
British Airways blames 'global systems outage' for IT meltdown
Mark Zuckerberg mercilessly trolled by Harvard student newspaper after return to university he dropped out of 12 years ago
'Unauthorised user' blamed by Harvard for insulting Mark Zoinkerberg
Android under attack from 'Judy', Google Play Store malware that has infected up to 36.5 million users
Yet more Android malware discovered on the Google Play Store
Airport believes new system will be more reliable than GPS or Google Maps