It naturally circles back around like a satellite in orbit….around….a….globe
The attack scheme features a remarkable pre-attack phase designed to create a foundation of trust for an effective spear-phishing campaign against high-profile targets. The attacker starts with a list of email accounts—obtained either from an out-of-band compromise, or by another case using the same malware. These accounts belong to organizations or persons that are supposedly trusted by the final, high-profile victim(s).
Using these email accounts as senders, together with attachment names crafted to camouflage the original malware sample extension (*.exe), the attacker managed to infect the computers (directly or indirectly) used by the high-profile victims.
When the malware files are executed on each machine it auto-updates itself, steals information related to email accounts matching the list above, and sends the harvested information to dropzone email addresses and/or C&C servers via HTTP/HTTPS. This also adds these email accounts to the attacker’s list of compromised accounts, which could be used to spread malware to other victims.
https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/
It seems to be a 'malware/spear-phishing scheme'
I'm really not that well read in cyber stuff but it sounds plausible certainly. If not that same program then maybe a Chinese clone