A cyber espionage campaign targeting activist groups in Syria is likely the work of the Islamic State of Iraq and Syria (ISIS), according to a report published on Thursday by CitizenLab, a research group at the University of Toronto’s Munk School of Global Affairs.

The attacks have targeted a group of Syrian activists, Raqqah Is Being Slaughtered Silently (RSS), that focuses on documenting human rights abuses in the Northern Syrian city of Ar Raqqah, which is currently occupied by ISIS, according to the analysis. The attacks used a tailored e-mail message to direct targeted users to an infected slide show, purportedly showing locations of ISIS forces and US airstrikes, but in reality, compromising the victim’s computer.

The attack does not result in remote access to a victim’s computer, but does result in a malicious program sending out occasional e-mail messages with data about the victim’s system and location, including the Internet protocol (IP) address, CitizenLab said in its analysis.

“Knowing the IP address of a target could quickly narrow down targets to specific locations, and specific Internet services, or Internet cafes in Raqqah,” the group stated. “Given that the identities and locations of RSS members are closely guarded, such information would hold significant intelligence value for ISIS.”

CitizenLab stressed that the evidence linking ISIS to the attacks against the activist community is only circumstantial, but that the attacks do not resemble prior operations linked to Syrian actors. While the attack could have been conducted by the Syrian government, it differs in almost every respect from prior attacks linked to the regime, CitizenLab’s report stated.

“The lack of overlap in tactics, techniques, and procedures (TTPs) between this attack and prior attacks does not rule out Syrian regime-linked attackers,” the group stated. “However, given that known regime-linked groups continued to remain active during the same date range using familiar TTPs, this scenario seems unlikely.”

The attackers used an unsolicited e-mail as the lure for the attack, claiming to be Syrian nationals residing in Canada and supporters of the RSS cause. The e-mail also contains a link to a slideshow file that installs an executable program on the victim’s system.

While the malware is not sophisticated, it shows that the author had some technical aptitude, according to the CitizenLab analysis.

“The malware has no obfuscation processes and is not highly technical in its development or interaction with Windows,” the CitizenLab report states. “Nevertheless, we believe that the author of the program is aware of certain techniques to reduce the visibility of malware on a network, including transmitting data via encrypted e-mail communications.”

The obfuscation code, however, was not implemented properly, the report concludes.

Ar-Raqqah has weathered a great deal of conflict in the past three years, according to the CitizenLab report.

In the spring of 2013, Islamists and Free Syrian Army (FSA) fighters took over Ar-Raqqah from regime forces. As ISIS gained momentum, they consolidated their control over the city, edging out FSA-affiliated groups through attacks, summary executions, and kidnappings against a range of groups, including ethnic and religious minorities.

When investigating suspected activists, ISIS agents often confiscate smartphones and other devices to collect information about the suspect and their links to any groups of dissenters, according to one source interviewed by CitizenLab researchers. The group has also reportedly targeted Internet cafes by installing keyloggers and network sniffers on local machines.

Cyber attacks are a relatively minor tool in the group’s toolbox of tactics used to dissuade the activity of activists and dissenters. Forces linked to the radical Islamic movement have reportedly raided homes, kidnapped dissenters, and killed those who have opposed them.