China, Russia, Belgium, and Sweden have been targets.
A previously unknown group called “Strider” has been conducting cyber-espionage attacks against selected targets in Russia, China, Sweden, and Belgium, U.S.-based computer security firm Symantec said Monday.
The group, which has been active since at least October 2011 and could have links to a national intelligence agency, has been using an advanced piece of hidden malware identified by Symantec symc as Remsec (Backdoor.Remsec), the company said in a blog post.
Remsec spyware lives within an organization’s network rather than being installed on individual computers, giving attackers complete control over infected machines, researchers said. It enables keystroke logging and the theft of files and other data.
Its code also contains a reference to Sauron, the all-seeing title character in The Lord of the Rings trilogy, Symantec said. Strider is the name of another leading character in the fantasy novels.
Get Data Sheet, Fortune’s technology newsletter.
Despite headlines that suggest an endless stream of new types of cyber-spying attacks, Orla Fox, Symantec’s Dublin-based director of security response, told Reuters the discovery of a new class of spyware like Remsec is a relatively rare event, with the industry uncovering no more than one or two such campaigns per year.
Strider’s targets include four organizations and individuals located in Russia, an airline in China, an organization in Sweden, and an embassy in Belgium, the security company said.
“Based on the espionage capabilities of its malware and the nature of its known targets, it is possible that the group is a nation state-level attacker,” Symantec said, but it declined to speculate about which government or governments might be behind the software.
Meanwhile, Moscow-based cybersecurity research firm Kaspersky Lab confirmed that it has also detected the same spyware and will publish further details of its findings later Monday. It has dubbed the group behind it “ProjectSauron.”
Remsec shares certain unusual coding similarities with another older piece of “nation state-grade” malware known as Flamer, or Flame, according to Symantec.
Flamer malware has been linked to Stuxnet, a military-grade computer virus alleged by security experts to have been used by the United States and Israel to attack Iran’s nuclear program late in the last decade.