Security researchers have spotted a new campaign using two attack frameworks and a backdoor allegedly developed by the NSA to spy on scores of targets in Russia, Iran and Egypt.

The tools were originally published in March 2017 by the Shadow Brokers, a group linked to Russian intelligence which claimed they came from the US spy agency.

They include DanderSpritz — which consists of “plugins to gather intelligence, use exploits and examine already controlled machines” — and FuzzBunch — a framework for different utilities to interact and work together which features various plugins to “analyze victims, exploit vulnerabilities, schedule tasks,” and more, according to Kaspersky Lab.

The DarkPulsar backdoor links to the two frameworks together, used with FuzzBunch to exploit vulnerabilities and gain remote access to a targeted system, before DanderSpritz is brought in to observe and exfiltrate the data.

“The FuzzBunch and DanderSpritz frameworks are designed to be flexible and to extend functionality and compatibility with other tools. Each of them consists of a set of plugins designed for different tasks: while FuzzBunch plugins are responsible for reconnaissance and attacking a victim, plugins in the DanderSpritz framework are developed for managing already infected victims,” the researchers explained.

“The discovery of the DarkPulsar backdoor helped in understanding its role as a bridge between the two leaked frameworks, and how they are part of the same attacking platform designed for long-term compromise, based on DarkPulsar’s advanced abilities for persistence and stealthiness. The implementation of these capabilities, such as encapsulating its traffic into legitimate protocols and bypassing entering credentials to pass authentication, are highly professional.”

Kaspersky Lab claimed to have found around 50 victims in Russia, Iran and Egypt, with Windows Server 2003 and 2008 typical targeted systems. The organizations in question were linked to nuclear energy, telecoms, IT, aerospace and R&D, the Russian AV vendor explained.