The group is still going after users who download router management software to infect target organizations.
Updated FinSpy implants for iOS and Android have been used in nearly 20 countries in the last year, according to Kaspersky.
New information from Lookout has given the public unique insights into how nation-states buy and develop surveillance exploits.
Another instance of FinFisher has been spotted in the wild by digital rights advocacy group Access Now.
"I don't think ISS World is controversial at all," Andrew Lewman told CyberScoop. "I think it's a training exercise. If you're working with law enforcement, that's where they go to learn about the cool new technology."
The discovery by Kaspersky Lab marks at least the fifth zero-day exploit used by the so-called BlackOasis group and exposed by security researchers since June 2015.