These hackers are so civilised they work regular hours as well.
Malware known as Miniduke is being targeted at drug dealers in a turn away from last year’s focus on governments, according to security firm Kaspersky.
The advanced persistent threat (APT) had become less prominent after a report from the company last March, but resurfaced near the start of this year.
Kaspersky said: "While the old style Miniduke implants were used to target mostly government victims, the new style CosmicDuke implants have a somehow different typology of victims.
"The most unusual is the targeting of individuals that appear to be involved in the traffic and reselling of controlled and illegal substances, such as steroids and hormones."
Kaspersky believes the malware may be being used by Russian police to chase criminals as a form of "legal spyware" or by rival gangsters seeking to gain an edge over their competition.
Samples found by the company also indicate the attackers roughly follow a regular working week, with most activity being recorded between 6am to 4pm GMT on weekdays and only occasional overtime on weekends.
The virus relies on Twitter accounts containing a URL pointing to the command and Control (C&C) server used to send instructions to the malware, which appears as spoof applications mimicking updaters for software such as Google Chrome, Adobe Acrobat or Java.
A significant difference from last year’s infection is the use of a new custom backdoor, through which it is still capable of stealing information such as passwords, address books or network information, according to the firm.
"Miniduke/CosmicDuke is capable of starting via Windows Task Scheduler, via a customized service binary that spawns a new process set in the special registry key, or is launched when the user is away and the screensaver is activated," Kaspersky said.
As well as drug dealers the virus is said to be targeting governments, military groups, the energy sector and telecoms operators in Europe, Australia and the United States.
Kaspersky believe the hackers had scanned IP ranges as far afield as Azerbaijan, Greece and Ukraine, indicating a desire to expand their operations.