A cyber espionage campaign targeting governments, schools and pharmaceutical companies has been uncovered by security firm Kaspersky.
Hackers behind Epic Turla, also called Snake or Uroburos, use a mixture of inherent "zero day" software bugs, social manipulation and "watering hole" techniques, in which popular websites are attacked as a proxy for infecting the true targets.
The malware was also observed employing a Cobra/Carbon backdoor, which is more sophisticated than Epic Turla's own rear entry attack.
Costin Raiu, director of global research and analysis at Kaspersky, said: "The configuration updates for the 'Carbon system' malware are interesting, because this is another project from the Turla actor.
"This indicates that we are dealing with a multi-stage infection that begins with Epic Turla. The Epic Turla is used to gain a foothold and validate the high profile victim.
"If the victim is interesting, it gets upgraded to the full Turla Carbon system."
Once a user is infected through Epic Turla it connects to a command and control (C&C) server, which continues to provide the malware with instructions.
Malware recipients are said to be concentrated in the Middle East and Europe, though infected machines were found in more than 45 countries.
Though the campaign has been running since 2012, Kaspersky said its highest spike in activity was between January and February of this year.