In May, Mr. Marquis-Boire, 32, of San Francisco, and Mr. Marczak, 24, of Berkeley, Calif., volunteered to analyze some suspicious e-mails sent to three Bahraini activists. They discovered all the e-mails contained spyware that reported back to the same command-and-control server in Bahrain. The apparent use of the spyware to monitor Bahraini activists, none of whom had any criminal history, suggested that it had been used more broadly.

Bahrain has been increasingly criticized for human rights abuses. This month, a 16-year-old Bahraini protester was killed in what activists said was a brutal attack by security forces, but which Bahrain’s government framed as self-defense.

The findings of the two men came as no surprise to those in the field. “There has been a clear increase in the availability of penetrating cyberattack tools,” said Sameer Bhalotra, President Obama’s former senior director for cybersecurity who now serves as the chief operating officer of Impermium, a computer security firm. “These were once the realm of the black market and intelligence agencies. Now they are emerging more and more. The problem is that it only requires small changes to apply a surveillance tool for attack, and in this case it looks like dissidents were targeted.”

Since publishing their findings, Mr. Marquis-Boire and Mr. Marczak have started receiving malware samples from other security researchers and from activist groups that suspected they may have been targets. In several cases, the two found that the samples reported back to Web sites run by the Gamma Group. But other samples appeared to be actively snooping for foreign governments.

A second set of researchers from Rapid7, of Boston, scoured the Internet for links to the software and discovered it running in 10 more countries. Indeed, the spyware was running off EC2, an Amazon.com cloud storage service. Amazon did not return requests for clarification, but Mr. Marczak and Mr. Marquis-Boire said the server appeared to be a proxy, a way to conceal traffic.