The re-use of an implant associated with APT1 is "a significant finding", according to McAfee fellow and chief scientist Raj Samani.
The new campaign — which began in May — has been dubbed Operation Oceansalt by McAfee, reflecting its use of code previously seen in 2010's Operation Seasalt. As far as McAfee has been able to determine, there are no indications that the Seasalt code became public.
Oceansalt initially targeted the South Korean higher education sector, and involved a macro in a document showing "a strong command of the Korean language".
The documents were distributed from compromised South Korean sites.
Later waves targeted a small number of organisations in other parts of the world, including the US and Canada.
"Is China back? We don't do attribution," said Samani.
He outlined three possibilities: a code-sharing agreement between two nation states, an actor obtaining the source code from someone associated with APT1, or a "false flag" operation intended to suggest collaboration between China and North Korea.
The implant is able to exfiltrate and delete files, and set up a reverse shell giving full control over the affected computer, among other functions. But Samani said it had not been possible to determine the goal of the campaign.
He added that McAfee had delayed announcing its findings until the information had been cleared by relevant law enforcement organisations, and that the indicators that a system has been compromised by the campaign are being made public.
The writer attended McAfee's Mpower Cyberecurity Summit as a guest of the company.