Hackers have hit dozens of companies in the chemical industry and defense sector, and snaffled company secrets, according to a report from Symantec.
The attacks, it says, started in late July and continued until mid-September. Before that, says Symantec, the same individuals were targeting human rights-related NGOs.
The attacks, dubbed Nitro, were apparently carried out using social engineering, with an email carrying a malicious attachment, presented as an Adobe Flash or anti-virus update. The malware used was a version of the remote access Trojan PoisonIvy.
Symantec says it's been able to trace the attacks to a virtual private server in the US.
"However, the system was owned by a 20-something male located in the Hebei region in China," it says in the report.
"He attended a vocational school for a short period of time specializing in network security and has limited work experience, most recently maintaining multiple network domains of the vocational school."
The company's dubbed him Covert Grove, based on a literal translation of his name. It says it can't tell whether he was working on his own, or acting on behalf of another party - such as the Chinese government.
In any case, says Symantec, other hackers are targeting the same companies, although it says it can't find any connection between the two.
"Simply restricting permissions would be enough to stunt the spread of an attack like this," points out Chester Wisniewski of Sophos.
"Additionally, the behavior of this malware is quite easy for HIPS or behavioral anti-virus to detect and block. With the multitude of techniques being used by the bad guys, analyzing the behavior of applications is critical."