More than 500 government organizations worldwide have been infected with a piece of malware designed to collect sensitive data. Until recently, their IT staffs didn’t realize they were the victims of cyber-espionage.

The culprit, Netrepser, differs from the majority of Trojans in that it infiltrates legitimate apps, hiding in plain sight while it steals information from high-level targets. Then, it covers its tracks using common utilities already on many computer networks.

Researchers at Bitdefender Labs accidentally uncovered the bug in May 2016 while examining a custom file-packing algorithm. A year later, they’ve unpacked the code, leading to a particularly chilling analysis: The payload is detected by antimalware systems, but even the most sophisticated label Netrepser a “potentially unwanted application” rather than dangerous. Because antimalware systems do not automatically disable PUAs, if the user ignores the warning, Netrepser recruits the compromised computer into a botnet network.

Typically, “a system administrator seeing an alert from the antivirus [software] about a PUA tool will have little to nothing to worry about,” said Bitdefender Senior E-threat Analyst Bogdan Botezatu.

The malware’s “unusual build could have easily made it pass for a regular threat like many of those that organizations block on a daily basis; however, telemetry information provided by our event correlation service has pointed out that most of its victims are government agencies,” the research team wrote in a blog post. “Paired with advanced spear phishing techniques and the malware’s primary focus to collect intelligence and exfiltrate it systematically, we presume that this attack is part of a high-level cyber-espionage campaign.”

According to the team, the malware undertakes a variety of activities, including keylogging and theft of passwords and cookies. After completing its dirty work, Netrepser employs legitimate, widely used utilities like Sysinternal SDelete to obscure forensic evidence, making tracing the attack to its source impossible.

The Trojan “is built around a legitimate, yet controversial, recovery toolkit provided by Nirsoft,” the researchers noted. “The controversy stems from the fact that the applications provided by Nirsoft are used to recover cached passwords or monitor network traffic via powerful command-line interfaces that can be instructed to run completely covertly. For a long time now, the antimalware industry has flagged the tools provided by Nirsoft as potential threats to security specifically because they are extremely easy to abuse and oversimplify the creation of powerful malware.”

According to the Bitdefender team, the hackers behind the attack delivered Netrepser using weaponized rich-text format (RTF) documents attached to emails. A similar method was used in a rash of advanced persistent threat (APT) attacks against human rights groups in Taiwan and Hong Kong and journalists in East Asia that took place in April 2016.

The delivery email message “purportedly comes from a Donald Spencer, who, according to this LinkedIn profile, is currently the Managing Director of Siguler Guff,” the Bitdefender researchers wrote in a whitepaper analyzing Netrepser. “Siguler Guff is a multi-strategy private equity investment firm which, by their own account, has over $11 billion of assets under management. Their real-estate portfolio spans from Mumbai to Moscow, where Drew Guff actually gave a speech at St. Petersburg International Economic Forum in June ’16.

“The headers reveal that the email originates from an inbox called piskulov@rp.co.ru,” the analysis continued. “Attached to the message is a DOC file containing a Visual Basic macro. If opened, the document would ask the user to enable macros in order to execute the dynamic content which would subsequently drop a JavaScript or JavaScript Encoded file to act as final payload.”

The Bitdefender researchers stopped short of accusations, but they noted evidence suggests the engineers behind the widespread government attacks may be Russian. Some file paths used by the Trojan were written in Cyrillic script, and what appeared to be Russian names embedded in the RTF documents actually translated to words like “installation” and “Ural.” In addition, analysis of the keylogger indicated some stolen information is sent to three email addresses in a Russian domain.