Just why the intruders would need to do that isn’t entirely clear. If you’ve infected a system with a remote control trojan, you don’t need to patch the browser to spy on traffic. ZDNet suggested it might be a failsafe that let intruders spy on traffic for people who remove the trojan, but aren’t cautious enough to reinstall their browsers.

The perpetrators appear to be easier to identify, and that might reveal their motives. Turla is believed to work under the protection of the Russian government, and initial targets were located in Russia and Belarus. The group is sophisticated enough to have compromised Eastern European internet providers in the past to infect otherwise clean downloads. This may be an attempt to snoop on dissidents and other political targets using a method that’s difficult to thwart.