Kaspersky Lab said an individual, believed to be one identified as a National Security Agency worker in news accounts, triggered the company’s antivirus software and paved the way for it to upload classified NSA files from his computer when he tried to pirate Microsoft Office and ended up infecting himself with malicious software. The piracy claim is included in a set of preliminary findings released by the Moscow-based company from an internal investigation into a byzantine spying scandal that didn’t seem like it could get any more bizarre. A series of news reports this month, citing U.S. intelligence sources, asserted that the files on the worker’s computer, which included source code for sensitive hacking tools he was developing for the spy agency, were uploaded by Kaspersky security software and then collected by Russian government hackers, possibly with the company’s knowledge or help. Kaspersky has denied that it colluded with Russian authorities or knew about the worker incident as it was described in the press. Details from the investigation, including the assertion that Kaspersky’s CEO ordered the files deleted after they were recognized as potential classified NSA material, could help absolve the antivirus firm of allegations that it intentionally searched the worker’s computer for classified files that did not contain malware. But they also raise new questions about the company’s actions, the NSA worker, and the spying narrative that anonymous government sources have been leaking to news media over the last two weeks. After facing increasingly serious allegations of spying, Kaspersky provided The Intercept with a summary of preliminary findings of an internal investigation the company said it conducted in the wake of the news reports. In its statement of findings, the company acknowledged that it detected and uploaded a compressed file container, specifically a 7zip archive, that had been flagged by Kaspersky’s software as suspicious and turned out to contain malware samples and source code for what appeared to be components related to the NSA’s so-called Equation Group spy kit. But the company said it collected the files in the normal course of its operations, and that once an analyst realized what they were, he deleted them upon the orders of CEO Eugene Kaspersky. The company also insists it never provided the files to anyone else. Kaspersky doesn’t say the computer belonged to the NSA worker in question and says the incident it recounts in the report occurred in 2014, not 2015 as news reports state. But the details of the incident appear to match what recent news reports say occurred on the worker’s computer. The NSA could not be reached for comment.

According to Kaspersky, the incident began when the company was in the midst of an initial investigation into the so-called Equation Group set of tools. In March 2014, Kaspersky discovered a suspicious driver file on a machine in the Middle East that didn’t appear to belong to any attack group Kaspersky had seen before. After adding search terms known as “signatures” to its scanner to detect the driver, the company found numerous samples of it, as well as other related components, on machines of customers in more than 40 countries, including the U.S. Kaspersky spent about a year collecting samples until it had amassed an expansive and sophisticated toolkit, which it dubbed the Equation Group, and that had been used by the NSA since 2001, possibly even 1996. In the case of one infected computer in the U.S., the company said it discovered what appeared to be new and unknown “debug” variants of Equation Group malware on the machine. “Debug” generally refers to code or a program that is still under development and not yet complete, which fits with news accounts of the tools that were taken from the NSA worker’s computer. In one recent Washington Post story, the NSA worker was reportedly a member of the Tailored Access Operations, the NSA’s elite hacking team, who was helping to develop new tools that were likely slated to replace the Equation Group tools. The computer on which the Kaspersky software detected the debug variants had the Kaspersky Security Network enabled. KSN is a cloud platform that allows Kaspersky to automatically collect samples of new and unknown malware from machines where a customer has enabled this feature (other antivirus products, including those made by U.S.-based Symantec, offer similar cloud collection). Kaspersky said that after it detected these debug variants, the customer apparently disabled the antivirus scanner in order to run software that would generate software keys and allow him to run pirated Microsoft Office software on his machine. The key-generation software turned out to be infected with known backdoor Trojan malware called Mokes that had been created in 2008 and was already being detected by antivirus scanners in November 2013. Kaspersky doesn’t know when the customer disabled their scanner, but at some point they re-enabled it, upon which it detected the Mokes backdoor on his computer. Kaspersky didn’t respond to questions asking when the file infected his computer or when its scanner detected the file, but notes in its statement that the malware was already on his system when the scanner was re-enabled. The company knows this because the malware would not have been able to install itself when the antivirus scanner was running. Kaspersky describes the Mokes malware as a “full-blown backdoor which may have allowed third parties access to the user’s machine” — further underscoring the worker’s recklessness in installing the pirated software, if in fact he did so. “There’s a whole litany of problems with this,” said Jake Williams, founder of Rendition Infosec and a former NSA employee. “If this guy is a TAO developer — these guys don’t grow on trees, they’re fairly skilled — he has to know the dangers of downloading pirated software. Taking the [classified] tools out of the [NSA] building in the first place [and putting them on his home computer] is a tremendous operational security lapse in judgement. But combining that with pirated software is mind-blowing.”

“From an NSA standpoint, I don’t see how this can get much worse,” Williams added.