In October 2021, a presumed phishing campaign targeted the Russian Federation MID with links to a series of spoofed MID portals to harvest credentials from MID personnel. Based on the observed TTPs, including the use of a light-weight loader to retrieve a .cab file comprised of install.bat, the use of .dll to call an .ini file, the host-based commands and similar URL structures for the C2s, we observe strong correlation with the malware previously reported as Konni. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files from a compromised account. While this particular campaign was highly targeted, it is vital for defenders to understand the evolving capabilities of advanced actors to achieve infection of coveted targets.