"We have detected a new wave of Sykipot campaigns that has been running during the past weeks," AlienVault Labs manager Jaime Blasco, said Monday in a . "There are several changes between the new Sykipot campaigns and the older ones."

There are clues suggesting that these attacks originated in China, although this cannot be confirmed with one hundred percent certainty, Blasco said Wednesday.

The rogue emails sent in the new attacks no longer distribute malicious attachments that exploit vulnerabilities in Adobe Reader, Microsoft Excel or Internet Explorer to install Sykipot.

Instead, they contain links to compromised websites that exploit a 2011 Flash Player vulnerability or a yet-to-be-patched vulnerability in the Microsoft XML Core Services (MSXML) to install the malware.

The MSXML vulnerability is believed to have been exploited in June attacks that prompted Google to warn its Gmail users about state-sponsored attacks. Microsoft released a manual fix for this vulnerability on June 12.