Ever since the sophisticated and unprecedented cyberattack platform called "Regin" was uncovered in November, cyber sleuths have been working hard to put together all the pieces of this complicated puzzle.

Regin was like a dinosaur: many researchers found some of its bones throughout the years, but no one had the full skeleton, as a researcher put it at the time. Now, thanks to newly published Edward Snowden documents, some researchers might have found the smoking gun that conclusively connects the dinosaur to a specific spy agency, the British Government Communications Headquarters (GCHQ), a close ally of the National Security Agency (NSA).

Less than two weeks ago, Der Spiegel published a new trove of Snowden documents, exposing a series of previously unknown cyberweapons at the disposal of spies from the so-called "Five Eyes," the five countries that have a special relationship and share intelligence information with each other (U.S., UK, Australia, New Zealand, Canada).

Among the documents, the German magazine also released the code belonging to a type of malware called QWERTY, designed to monitor the keystrokes on a victim's computer.

When Kaspersky Lab researcher Costin Raiu saw the code, he immediately spotted a pattern and thought: "that's a Regin plugin!"

"I remember the strings from most of the couple hundred Regin plugins by heart," he told Mashable, adding that Kaspersky is in possession of "several hundred" plugins from the Regin framework.

After analyzing both QWERTY and Regin's 50251 plugin, Raiu and fellow researcher Igor Soumenkov concluded that the two files share a "significant" portion of the code and have the same functionality. For the two researchers this is "solid proof" that QWERTY is part of Regin.

Image: Kaspersky Lab

While the researchers at Kaspersky did not want to point fingers, other independent researchers have no doubts: this is proof that GCHQ, and perhaps its spy allies of the Five Eyes, are behind Regin.

"This really is a smoking gun: a piece of code in the Snowden archive is substantially identical in key ways to a captured Regin keylogging module, including both a large block of identical binary," Nicholas Weaver, a computer science researcher at Berkeley University, told Mashable.

Claudio Guarnieri, an independent security researcher who worked with The Intercept to analyze Regin malware, pointed out that inside a QWERTY file there's a reference to a Five Eyes program called "WARRIORPRIDE," along with a reference to the Australian Signals Directorate (ASD), previously known as the Defense Signals Directorate (DSD).

So, based on Kaspersky's analysis, "if QWERTY is WARRIORPRIDE, and QWERTY is Regin, then Regin is WARRIORPRIDE," he told Mashable.

What this means is that Regin is probably a framework developed and shared among all the Five Eyes spy agencies, who call it WARRIORPRIDE, he said.

Each of the spy agencies then uses this framework for its own cyberattacks and intelligence operations, developing custom plugins, Guarnieri explained in a thorough blog post on Tuesday.

Additional proof of this theory is a line contained in a Snowden document published by Der Spiegel.

What's murkier, however, is whether the NSA has also used WARRIORPRIDE, or Regin.

Guarnieri noted that so far, nobody has found any evidence to support that. Morgan Marquis-Boire, the director of security at First Look Media, who has also analyzed Regin, concurs.

We've seen evidence that Regin is used by the GCHQ. There's a line in the source that appears to reference the DSD. Why attribute to NSA? — Morgan Mayhem (@headhntr) January 27, 2015

When contacted by Mashable, the GCHQ simply sent its usual statement, which said in part that "it is longstanding policy that we do not comment on intelligence matters," and that "all of GCHQ's work is carried out in accordance with a strict legal and policy framework."

In November, an agency spokesman declined to comment on Regin and what he defined as "unfounded" allegations, saying: "we don't comment on speculation."

What we still don't know about Regin

Despite this new piece of evidence, there's still much we don't know about Regin.

For starters, it's unclear how many of the Five Eyes intelligence agencies use it. Raiu told Mashable practically all the samples that Kaspersky Lab has analyzed are compiled during British working hours. But there's one compiled at 2 a.m. GMT.

"Who works at 2 a.m.?" Raiu asked rhetorically.

Raiu said him and his colleagues believe Regin is used by "multiple groups," so "it must be a different group that works on another timezone."

In his blog post, Guarnieri also noted that given that Regin is used by multiple groups, it might be hard to figure out who is behind which Regin attack, and a lot about what is known about Regin is still "speculative." That's why Guarnieri made a call for the security community to keep digging for more dinosaur bones.

"It is imperative that the technical community keeps conducting analysis of the information at our disposal, connect the dots and fill the blank spots left," he wrote. "Share what you have, publish what you know."

"Don't hold back."