FinFisher has versions that can run on Windows, macOS and Linux systems. The victims were in Europe and Asia, but Kaspersky did not provide any more detail about the targets or how many targets were found.
The findings were presented during the company's annual Security Analyst Summit which is being held online due to the pandemic.
The research into FinFisher was carried out over the last eight months, but Kaspersky said it had been tracking the spyware since 2011.
But then the researchers found a website in Burmese which hosted infected installers and samples of FinFisher for Android which were trojanised with the same spyware, with some differences.
The spyware now protected the trojan using two components: non-persistent pre-validator and a post-validator.
The first component checked to ensure the device it was infecting did not belong to a security researcher and only after this was the post-validator component uploaded.
The new avatar of FinFisher, which is also known as FinSpy and Wingbird, was found to have four complex custom-made obfuscators.
"The primary function of this obfuscation is to slow analysis of the spyware," the Kaspersky researchers noted. "On top of that, the trojan also employs peculiar ways to gather information. For instance, it uses the developers’ mode in browsers to intercept traffic protected with a HTTPS protocol."
The FinFisher samples that replaced the Windows UEFI bootloader allowed attackers to install a bootkit without going through any of the firmware security checks.
The team found that all machines infected with the UEFI bootkit had the Windows Boot Manager replaced with a malicious one.
"When the UEFI transfers execution to the malicious loader, it first locates the original Windows Boot Manager. It is stored inside a directory, which contains two more files: the Winlogon Injector and the Trojan Loader – both are encrypted," Kaspersky explained.
"Once the original bootloader is located, it is loaded into memory, patched, and launched. This way of infection allowed the attackers to install a bootkit without the need to bypass firmware security checks."
Igor Kuznetsov, principal security researcher at Kaspersky’s Global Research and Analysis Team, said: “The amount of work that was put into making FinFisher not accessible to security researchers is particularly worrying and somewhat impressive.
"It seems like the developers put at least as much work into obfuscation and anti-analysis measures as into developing the trojan itself.”
Kuznetsov said the work put in made the spyware particularly hard to track and detect, meaning that anyone who wanted to drill into the innards needed to be willing to invest a substantial amount of time.
He added that complex threats like FinFisher made it plain that security researchers needed to co-operate and exchange knowledge.