Researchers at Symantec have uncovered the exploits of a cyberespionage group targeting organizations in Japan.

According to a Thursday blog post by the firm, malicious emails were used to spread backdoors Emdivi, Korplug and ZXshell to victims. Instead of simply including a link to compromised websites in phishing ruses, attackers used booby-trapped Ichitaro document files to spread malware.

That attack leverages a remote code execution vulnerability, CVE-2014-7247, in the widely-used Ichitaro word processor, so that users running vulnerable versions of the software are exploited. The backdoors are all designed to “steal confidential information from the compromised computer,” Symantec said.  

The cyberespionage campaign,“Operation CloudyOmega,” has been active since 2011 and its perpetrators have “communication channels with other notorious attacks groups,” like Hidden Lynx, the firm noted.  A patch for the zero-day vulnerability is now available.