There’s a string of spyware campaigns operating out of a government building in Lebanon, according to new research from Lookout Security and the Electronic Frontier Foundation. Dubbed “Dark Caracal,” the new group is linked to attacks on thousands of victims in more than 21 different countries, a range of targets so broad that researchers believe the campaign may represent a new kind of spyware for hire.

Dark Caracal’s basic tactics are similar to previous government-linked spyware campaigns, targeting individuals through spear phishing or watering hole attacks, then using malware implants to quietly siphon data from their phones. That data includes passwords, phone records and chats, enough to build a comprehensive picture of where a person has been and who they’ve communicated with. In most cases, the malware itself isn’t particularly sophisticated — employing known vulnerabilities and targeting primarily Android phones — but the effect is still potentially devastating for anyone compromised.

“They’re running the infrastructure and selling the portals”

Once researchers got access to one of the servers used by the group, the location data proved to be incriminating, leading researchers to a government building in Lebanon. Researchers found a wealth of Wi-Fi network records on the server, typically used as a way to track a person’s location. The earliest data showed a string of connections to a network called “Bld3F6.” Often those connections would come with unusually sparse data, indicating they were coming from test devices rather than an actual target. When researchers tried to trace the “Bld3F6” network to a physical location, it led them a building in downtown Beirut run by Lebanon’s General Directorate of General Security — the country’s chief intelligence agency.

“This is the first network that all of the test phones logged into,” says Eva Galperin, a lead author on the report and cybersecurity director at EFF. “We could see all kinds of information based on that.”

Normally, tracing spyware back to a specific government building would be a slam dunk, but the Caracal researchers aren’t willing to attribute all of the activity to Lebanon’s GDGS. Part of the problem is the wide range of targets that have been attacked with the same basic tools. During the period covered in the report, researchers tracked as many as six separate campaigns running in parallel, in areas as disparate as Germany, Pakistan, and Venezuela. The authors also link the same tools to a 2015 campaign against dissidents in Kazakhstan. It’s hard to believe Lebanon’s government is responsible for all of those campaigns, which leads to a much more complicated attribution.

Instead, Galperin believes Caracal is part of a new kind of spyware service, one that contracts jobs by the target rather than selling tools outright. Seen through that lens, the Caracal attacks look like a single actor based in Lebanon taking on six jobs at once for a variety of buyers, a kind of digital spy for hire. “They’re running the infrastructure and selling the portals,” Galperin says. “Up until now, we had largely been looking at companies that sell spyware directly to nation states.”

If true, that would be an ominous development, potentially enabling spyware programs in countries without the resources to develop their own programs or buy out-of-the-box tools from companies like FinFisher or Hacking Team. Still, more research will be needed before we can tell exactly who’s responsible. “This campaign is definitely based out of Lebanon,” says Galperin, one of the lead authors of the study. “Otherwise, we have a lot of information about the infrastructure, but we don’t have a lot of information about who runs it.”