The group responsible for conducting a phishing attack against Indian IT consulting firm Wipro and its clients has since mid-2016 been conducting a far-reaching gift card fraud operation targeting an array of businesses, a new report states.

What’s more, the malicious activity bear certain hallmarks of a state-sponsored actor with financial motives, according to a new threat report from RiskIQ threat researchers Yonathan Klijnsma and senior Product Manager Steve Ginty. The report notes that one of the PowerShell scripts used by the group, BabySharkPro, is typically tied to North Korean threat activity – but its presence could be a false flag.

RiskIQ profiled the group by examining infrastructure overlap in PowerDNS, WHOIS records and SSL certificate data, according to a company press release. “The sheer scale of the infrastructure involved in this campaign and the concerted effort to attack so many different organizations at once is both impressive and disturbing,” said Klijnsma in the release.

The group’s April attack against Wipro has likely an attempt to expand its reach, the RiskIQ group asserts. Primarily, however, the group has targeted gift card retailers, distributors, and card processors. “With access to this gift card infrastructure, the attackers went on to use money transfer services, clearinghouses, and other payment processing institutions to monetize,” the report concludes.

According to RiskIQ, the group has borrowed phishing templates from legitimate security awareness training provider Lucy Security to create their own phishing forms, and has used the digital marketing solutions Socialab, SendGrid and Campaign Monitor for phishing email link-tracking. The actors also have leveraged the legitimate tools ScreenConnect and EMCO Remote Installer to remotely control compromised machines and deploy tools across impacted networks, the report continues.