Crucially, the infection relies on legitimate programs to accomplish its task, whether they’re built into Windows or downloaded from third parties. There are no malware programs copied to storage. The approach makes it harder for security teams to research the code and devise countermeasures.

It’s not certain who’s behind Nodersok. It appears to be meant for everyday criminals rather than hostile countries, however. Cisco believed that i was “primarily designed” for click fraud, or the practice of automatically generating ad clicks to boost revenue from websites. Most targets are typical consumers in Europe and the US rather than corporate or government users.

Both Microsoft and Cisco are keen to tout the ability of their enterprise-grade defense systems to thwart the malware. Most people don’t have access to those to those resources, though, and conventional signature-based antivirus software has a much harder time. Nodersok has targeted “thousands of machines” in recent weeks, according to Microsoft, and that might not let up in the near future.