A new malware campaign targeting Russian energy companies, factories, and electronic component suppliers has been detected. The malware, distributed via email attachments or Yandex Disk links, uses RAR archives containing LNK files to download and execute malicious HTA files. These files create VBS scripts that establish persistence through registry keys and scheduled tasks. The scripts copy files from the user's home directory and Telegram data, then exfiltrate them to the attacker's server. Unlike typical attacks, this malware remains active, continuously stealing new and modified files. The campaign shows no clear connection to known threat groups and is detected as Trojan-Spy.VBS.Unicorn.