A private firm working on the investigation, iSIGHT Partners, said the hackers behind the malware "displayed innovation and a high degree of skill in orchestrating the various components of the activity."
"It's not necessarily the specific malware components individually that make this new or sophisticated, but it's really the size or scale of this operation at large that makes this unique," said Tiffany Jones, senior vice president at iSIGHT Partners.
The malware infects individual point of sale devices. It monitors data processed on the device, then transmits that data outside of the retailer, she said.
It is especially hard to detect because it deletes records that could tell investigators it fraudulently transmitted the data, Jones added.
The "malicious software has potentially infected a large number of retail operations," Jones told CNNMoney.
Jones declined to name specific retailers infected with the malware, but her description of its function is in line with experts' understanding of the Target hack. A spokeswoman for Target(TGT) did not immediately respond to a request for comment.
"We've seen various types of malware that have done that, but its the first time that we've seen this attack at this scale of criminal operation," she said. The malware manages to "covertly subvert network controls" and avoids current anti-virus software.
She declined to say how it was spread, but indicated the malware does not need to be manually installed on each terminal it infects.
The U.S. Department of Homeland Security did not make the government's report public and provided little on its contents. iSIGHT Partners provided CNNMoney a copy of its findings.
The firm referred to the software by a Russian name -- KAPTOXA -- because parts of the code were written in Russian.
Target said in December that the massive breach was due to malware on point of sale systems. Payment data was compromised for customers who shopped between Nov. 27 and Dec. 15.
Hackers obtained credit card data for 40 million in-store customers, as well as personal information -- including names, addresses, phone numbers and email addresses -- for 70 million customers. Hackers also obtained encrypted PIN numbers for debit cards, the company said.
The CEO apologized, and Target said it was working with both law enforcement and a private security firm to investigate the hack.
Target representatives are scheduled to give their first public testimony regarding the breach during the first week of February before a panel of the House Commerce Committee, Rep. Lee Terry announced Wednesday evening.