Kaspersky Lab calls it a masterpiece.
Despite being active since 2012, the malware has remained hidden despite infecting at least 100 users around the world, including individuals and institutions.
Kaspersky researchers said the malware is likely state-sponsored with some text clues suggesting it originates from an English-speaking country and most likely was used for espionage purposes. The security firm gave the malware the nickname Slingshot, based on some text found inside the recovered malware samples.
The malware code spies on PCs through a multi-layer attack using a kernel mode module and a user mode module that essentially gives attackers unlimited access to an infected machine. They can steal passwords, keyboard strokes, screenshots, network traffic and more.
"The malware is highly advanced, solving all sorts of problems from a technical perspective and often in a very elegant way, combining older and newer components in a thoroughly thought-through, long-term operation, something to expect from a top-notch well-resourced actor," wrote a Kaspersky researcher.
The malware also uses many tricks to avoid detection, including shutting down its components when it detects forensic research.
What's less clear is how it infects machines. At least one method that infected many users involved MikroTik routers, though once alerted, the company released a firmware update to address the issue. Other types routers might have been infected, according to Kaspersky.