We found links to previously observed cybercrime activities, new, formerly unknown samples used by the attackers during post-exploitation activities, a wealth of recent information about C2 infrastructure and the latest samples distributed to compromise victims. We discovered a highly active campaign, starting in March 2022, targeting stock and cryptocurrency investors in South Korea. The attacks targeted Indian and Afghan victims and, while some of the attacks had a more complicated attack chain, they all involved sophisticated techniques, such as different stages of HTA scripts with encrypted/obfuscated malicious payloads, memory-resident malware and, in most cases, DLL side-loading to execute the NightFury backdoor. The attackers used compromised websites to host the initial HTA scripts and their own servers as C2 for different backdoor and RAT samples, as well as download servers for downloader modules.