Researchers have revealed a previously undocumented threat actor of Chinese origin that has run at least six different cyber espionage campaigns in the Southeast Asian region since 2013.

The findings — disclosed by Palo Alto Networks’ threat intelligence team Unit 42 — linked the attacks to a group (or groups) it calls PKPLUG, named after its tactic of delivering PlugX malware inside ZIP files, which are identified with the signature “PK.”

The ambiguity in its attribution is because “our current visibility doesn’t allow us to determine with high confidence if this is the work of one group, or more than one group which uses the same tools and has the same tasking,” Unit 42 said.