Norwegian security firm Norman said the Mac spyware found on the activist's computer, signed with a valid Apple Developer ID account and designed to capture screenshots from victims, was the work of a group in India dubbed HangOver hackers, ZDNet reported Monday.
The group has created over 600 domains used to distribute hundreds of pieces of keylogger and other information-stealing malware they've group, Norman chief researcher Snorre Fagerland said.
The group has launched phishing and malware attacks against targets in a range of countries including Pakistan the United States, China, Iran, Thailand, Jordan, Indonesia, Britain, Norway, Germany, Austria, Poland and Romania, Norman said in a report.
Norman said it began investigating the group after Norway's largest carrier Telenor revealed it was compromised in a cyberattack in March.
While the hackers are not very sophisticated and rely on exploits for old, patched Internet Explorer, Java and Microsoft Word flaws, Fagerland said, the group is well-organized.
"The group appears not to be very advanced, but they are really aggressive in picking targets and once they have picked the target they are trying over and over again," he said.
Repeat use of the same IP addresses confirms the groups is located in India, the Norman report said.