Over the ten months of the campaign, attackers repeatedly changed not only Pastebin, BlogSpot, and Bit.ly links, but also malware delivered: in part of the attacks they infected victims with Azorult malware instead of RevengeRAT. Azorult can be used to deliver various tools and other malware, including ransomware.
Content to uncover this attack available on Threat Detection Marketplace:
MSHTA Spawning Windows Shell – https://tdm.socprime.com/tdm/info/2175/
Possible Malicious Use of MSHTA.EXE Detector (Sysmon Behavior) – https://tdm.socprime.com/tdm/info/2403/
MSHTA spwaned by SVCHOST as seen in LethalHTA (Sysmon). – https://tdm.socprime.com/tdm/info/1065/
AZORult malware detected – https://tdm.socprime.com/tdm/info/2203/