Fancy Bear is at it again.
The Russian hacking group also known as the Sofacy group and APT28, among other names, created a variant of an existing malware tailored to hit Apple‘s Mac computers and operating system, according to two cybersecurity firms.
Fancy Bear created a stir during the 2016 presidential election when several security firms and U.S. intelligence agencies said the group was responsible for hacking emails of the Democratic National Committee. Security firm Crowdstrike said the hackers are likely linked with Russia’s GRU military intelligence agency.
This week, both Palo Alto Networks (PANW) and Bitdefender Labs said the hacking group created a new version of its Xagent malware, which targets the macOS desktop operating system in addition to iOS, Windows, Linux, and the Android mobile operating systems.
Once the malware infects an Apple computer, hackers could access documents from any iPhone or iPad backups stored on these machines.
Get Data Sheet, Fortune’s technology newsletter.
Palo Alto Networks examined a list of commands associated with the malware, and found that one command could help hackers discover any iOS-related backups on the computer. From there, the researchers “speculate that the actors would use other commands within XAgent to exfiltrate those files,” according to Palo Alto Networks.
Researchers at Bitdefender Labs said the malware is likely spread through a Trojan worm known as the Komplex downloader. In September, Palo Alto Networks said that Fancy Bear was using the Komplex Trojan as a way to infect Macs belonging to employees in the aerospace industry.
For more about cybersecurity, watch:
Although the security firms didn’t how prevalent the malware is yet, it’s likely low because these hackers are specifically targeting certain segments of people—not Internet users en masse.
