A criminal group has been systematically targeting large corporations — including four Canadian organizations — over the past three years to steal confidential information and intellectual property, warns Symantec.

In a blog last week the security vendor said the group, which it has dubbed Butterfly, has hit 49 organizations in more than 20 countries including Twitter, Facebook, Apple, Microsoft and firms in the pharmaceutical, legal and oil and precious metals sectors. More details on the group are in this Symatec report.

Symantec describes the group as “technically proficient and well resourced” and — perhaps surprisingly — not interested in credit card data. “The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers,” says the report, “and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target.”

Part of the reason it’s been hard to track is the group uses encrypted virtual machines and multi-staged command and control servers to make it difficult to investigate.

The attacks date back to 2012 and typically involve compromising a website used by mobile developers (iPhoneDevSDK. com) and using a Java zero-day exploit (CVE-2013-0422, since been patched) to infect them with a Mac OS X back door known as OSX.Pintsized or a Windows back door, Backdoor.Jiripbot. It is not uncommon for the attackers to gain a foothold in an organization’s regional offices, then spreading to its headquarters. In many attacks, Symantec [Nasdaq: SYMC] says, the group compromised Microsoft Exchange or Lotus Domino email servers to intercept company emails, and possibly use them to send counterfeit emails.

In addition to the four unnamed Canadian firms hit, 17 organizations in the U.S. and 12 in Europe were victims. Symatec doubts the Butterfly group is state-sponsored.