Researchers have discovered at least two new pieces of malware in the wild that subject Mac users to advanced surveillance campaigns designed to surreptitiously siphon confidential data from their machines.

According to blog posts from Kaspersky and Sophos, malware identified as SabPub arrives in a booby-trapped Microsoft Word document that exploits a critical vulnerability that was patched three years ago. The APT, or advanced persistent threat, appears to have similarities to an espionage campaign that Ars reported last month, which targets employees of several pro-Tibetan non-governmental organizations. Kaspersky Lab Expert Costin Raiu said two new strains of SabPub are noteworthy because of their ability to stay hidden until now.

"SabPub is different from MaControl, another bot used in APT attacks in February 2012," Raiu wrote. "SabPub was more effective because it stayed undetected for more than 1.5 months."

The discovery comes a couple weeks after researchers from Kaspersky and other security firms confirmed a botnet of more than half a million Macs infected by the Flashback malware. Like SabPub, Flashback was effective because it hijacked machines without requiring the user to type an administrative password. Flashback achieved this coup by exploiting a vulnerability in the Java software framework that Oracle had patched earlier in 2012, but that Apple hadn't yet distributed to its end users. Meanwhile, the SabPub malware exploits a Word vulnerability that Microsoft patched in 2009, but that many people—particularly those using pirated versions of the application—haven't bothered to install.

Flashback is a piece of opportunistic malware that's designed to get installed on as many machines as possible so that its operators can profit from click fraud and similar scams. Now that Apple has released a Java patch and third-party software makers have issued detection and removal tools, the number of infected machines has reportedly plummeted.

The developers of SabPub, by contrast, are highly selective about those they target, since the malware is designed to download confidential documents relating to pro-Tibetan activities. Indeed, shortly after Kaspersky researchers infected a lab machine with SabPub, they witnessed someone manually checking it for material of interest. Researchers with antivirus provider ESET also witnessed manual intruders in their discovery last month of Mac-based APT software. Kaspersky said the command and control server their infected Macs reported to has been shut down.

The APT threat is using IP addresses that have been known to wage similar attacks on Windows users, Kaspersky said.