We have previously seen DustSquad use third-party post-exploitation tools, such as the password dumping utility fgdump; but we have now observed new custom C modules, a first for DustSquad, and Delphi downloaders acting as post-exploitation facilitators, able to gather documents of interest for the actor. We analyzed the associated samples and concluded that the deployed malware was not comparable in complexity or code similarity to malware leveraged in previous destruction campaigns such as NotPetya or BadRabbit; but was much more reminiscent of that typically used by cybercriminals. We also observed that the malware was exclusively used against servers until August 2021; but starting from September, similar samples were also observed targeting desktop environments via messaging applications such as Telegram. This loader leverages a fake Flash installer implanted with shellcode that is used to fetch a Cobalt Strike payload from a remote C2 server.