Monday 06 July 2026 14:44:01 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Warfare & Nation-State Operations

Espionage in the Cloud: How CamelClone Turned File-Sharing Sites into Spy Tools

Published: 16 March 2026 15:36Category: Cyber Warfare & Nation-State OperationsGeo: AfricaAuthor: AGONY

Subtitle: A shadowy cyber campaign leverages public platforms to infiltrate government networks across four continents.

On a quiet morning, an unsuspecting government employee in Algeria opens a ZIP file, believing it to be an official document from their Ministry of Housing. Within moments, invisible hands reach in, siphoning sensitive files to a distant cloud account. This is not a scene from a thriller-it’s the reality of Operation CamelClone, a sophisticated, globe-spanning espionage campaign now under the microscope of security researchers.

Fast Facts

  • Operation CamelClone targets government, defense, and diplomatic entities in Algeria, Mongolia, Ukraine, and Kuwait.
  • The attackers abuse public file-sharing sites and cloud storage to distribute malware and exfiltrate data.
  • Infection begins with spear-phishing emails containing malicious ZIP archives and decoy documents.
  • Legitimate tools like Rclone and MEGA cloud storage are repurposed for stealthy data theft.
  • The campaign focuses on intelligence-gathering, with no links to financial cybercrime.

The Anatomy of a Modern Spy Campaign

Researchers at Seqrite Labs have traced a web of attacks across four countries-Algeria, Mongolia, Ukraine, and Kuwait-each with pivotal roles in today’s shifting geopolitical landscape. The campaign, dubbed Operation CamelClone, is notable for its cunning use of trusted public platforms to cloak its tracks. Instead of relying on traditional, easily blacklisted command-and-control servers, the attackers exploit mainstream file-sharing sites such as filebulldogs[.]com and cloud storage giant MEGA to move their digital contraband.

The operation kicks off with highly targeted spear-phishing emails. These lure victims with ZIP files labeled as official correspondence-complete with realistic logos and references to real government agencies. Inside each archive lurks a disguised shortcut file (LNK) and a decoy image. When the shortcut is activated, a hidden PowerShell command reaches out to filebulldogs[.]com, quietly downloading more dangerous payloads.

The next stage involves a JavaScript loader, codenamed HOPPINGANT, which executes further PowerShell commands. Victims are distracted by a decoy PDF while a secondary archive delivers an executable: a legitimate copy of Rclone, a popular tool for syncing files with cloud storage. With credentials baked into the malware, Rclone connects to MEGA using anonymous onionmail[.]org email accounts. Documents-especially Word, PDF, and text files-are silently siphoned from the victim’s desktop. Telegram session data is also targeted, potentially exposing confidential communications.

By leveraging public infrastructure, CamelClone ensures its operations are harder to detect and disrupt. The use of legitimate platforms and tools blurs the line between normal business and malicious activity, complicating the work of defenders. The campaign’s focus on governmental and strategic sectors suggests a clear espionage motive, aimed at understanding defense postures, foreign policy, and diplomatic maneuvers amid global tensions.

Conclusion

Operation CamelClone is a wake-up call for organizations worldwide: the cloud is now both a business enabler and a battleground. As attackers grow more adept at blending in with normal internet traffic and exploiting trusted tools, defending sensitive information demands not only vigilance, but also a keen understanding of how everyday technologies can be weaponized. The next targeted email could be the opening move in a quiet, high-stakes game of global espionage.

WIKICROOK

  • Spear: Spear phishing is a targeted cyberattack using personalized emails to trick specific individuals or organizations into revealing sensitive information.
  • LNK file: An LNK file is a Windows shortcut that links to a file or program. Attackers can exploit LNK files to run hidden commands or malware.
  • PowerShell: PowerShell is a Windows scripting tool used for automation, but attackers often exploit it to perform malicious actions stealthily.
  • Rclone: Rclone is a command-line tool for managing files across cloud services, but is also exploited by cybercriminals for data theft and exfiltration.
  • Command: A command is an instruction sent to a device or software, often by a C2 server, directing it to perform specific actions, sometimes for malicious purposes.