The technique puts data at risk even if the employees are using encryption.
The attacks began in 2007, according to research firm Kaspersky Lab.
"This paints a dark, dangerous web in which unsuspecting travellers can easily fall."
It said that the effort was "well-resourced", but it was unclear who was responsible.
"It's unsurprising given the high value of the targets," commented Dr Ian Brown, from the Oxford Internet Institute.
"This is perhaps a wake-up call to big company CEOs who weren't already aware that this kind of thing was going on."
Examples include new versions of Adobe Flash, Google Toolbar and Windows Messenger.
To prevent the malware being detected, the hackers use certificates - the equivalent of a digital password, used under normal circumstances to confirm software is trustworthy.
The result is that the hackers can then employ other types of malware.
These are said to include:
• Information stealers - used to copy data off the computer's hard drive, including passwords stored by internet browsers, and the logins for cloud services including Twitter, Facebook, Mail.ru and Google
• Trojans - used to scan a system's contents, including information about the anti-virus software it has installed. The findings are then uploaded to the hackers' computer servers
• Droppers - software that installs further viruses on the system
• Selective infectors - code that spreads the malware to other computer equipment via either a USB connection or shared removable storage. These targets appeared to be "systematically vetted" before being infected
• Small downloaders - files designed to contact the hackers' server after 180 days. The belief is that this is intended to let them take back control if some of the other malware is detected and removed.
"It's not surprising that other countries would be wanting to do this," Dr Brown commented.