The digital surveillance tools are peddled by an international firm called Gamma Group and have in the past been sold to repressive regimes including Bahrain, Egypt and the United Arab Emirates (UAE).
In March this year, the company attended a security conference sponsored by the UK Home Office.
This week (21 September), experts from cybersecurity firm Eset claimed that new FinFisher variants had been discovered in seven countries, two of which were being targeted by "man in the middle" (MitM) attacks at an ISP level – packaging real downloads with spyware.
Companies being hit included WhatsApp, Skype, Avast, VLC Player and WinRAR, it said, adding that "virtually any application could be misused in this way."
When a victim of the surveillance was downloading the software, they would be silently redirected to a version infected with FinFisher, research found.
When downloaded, the software would install as normal – but Eset found it would also be covertly bundled with the surveillance tool.
The stealthy infection process was described as being "invisible to the naked eye."
One WikiLeaks document on FinFly ISP touted its ability to conduct surveillance from an ISP level.
The software's brochure boasted: "FinFly ISP is able to patch files that are downloaded by the target on-the-fly or send fake software updates for popular software."
It added that it "can be installed on an internet service provider ́s network" and listed one use case when it was previously deployed by an unnamed intelligence agency.
Eset found that all affected targets within one of the countries were using the same ISP.
"The deployment of the ISP-level MitM
attack technique mentioned in the leaked documents has never been
revealed – until now," the researchers said in their analysis.
"If confirmed, these FinFisher campaigns would represent a sophisticated and stealthy surveillance project unprecedented in its combination of methods and reach."
It remains unknown who was behind the fresh hacking campaigns, but FinFisher is almost exclusively tailored to government, police or intelligence agency use.
"We cannot say for sure who is behind the campaign but the ISP re-direction could be a service ordered from FinFisher," Kafka said.