Operation CamelClone: New Global Espionage Campaign Hijacks Public Cloud Tools
Ddos 
Attack Chain | Image: Seqrite Labs
Cybersecurity researchers at Seqrite Labs have identified a widespread and highly targeted espionage operation dubbed “Operation CamelClone”. The campaign is notable for its broad geographical reach and its clever use of legitimate public cloud services to bypass traditional network defenses.
Operation CamelClone has been observed targeting a diverse set of nations, including Algeria, Mongolia, Ukraine, and Kuwait. Despite the geographical distance between these targets, the campaign’s focus remains consistent: the collection of sensitive strategic information.
The primary targets include:
- Government and Defense: Organizations involved in national security and military strategy.
- Diplomatic Institutions: Departments focused on foreign affairs and international cooperation.
- Energy Sectors: Strategic resource management and policy-making bodies.
As the analysts at Seqrite Labs noted:
“The targeting pattern suggests an actor with interests in monitoring the foreign policy positions, defence capabilities, and diplomatic alignments of states navigating major-power rivalries“.
What makes Operation CamelClone stand out is its avoidance of dedicated attacker-owned infrastructure. Instead of setting up custom command-and-control (C2) servers—which are easily flagged by security software—the threat actor leverages anonymous file-sharing sites and legitimate cloud storage.
The infection chain typically follows this sequence:
- Initial Access: Victims receive a malicious ZIP archive containing decoy documents tailored to government or military themes.
- The Payload: Opening the archive triggers the deployment of the HOPPINGANT loader.
- Abusing Public Tools: The loader fetches additional payloads from filebulldogs[.]com, a public file-sharing service.
- Exfiltration via Rclone: For the final theft, the attackers utilize Rclone, a legitimate command-line tool for managing cloud storage, to upload stolen data directly to MEGA storage accounts.
“One interesting aspect of this campaign is that the threat actor does not rely on traditional command-and-control infrastructure. Instead, the payloads are hosted on a public file-sharing service… while stolen data is uploaded to MEGA storage using the legitimate tool Rclone“.
While the activity has not yet been attributed to a specific known threat group, the technical “fingerprints” across all four targeted regions are nearly identical. Researchers observed the reuse of the same XOR keys for password decoding and identical Rclone configuration parameters in every instance, suggesting a single, highly organized operator.
Security Recommendations:
- Audit Cloud Management Tools: Monitor for unauthorized installations of tools like Rclone or unauthorized connections to file-sharing services like MEGA.
- Inspect ZIP Archives: Implement strict email filtering for ZIP files, especially those originating from unknown external sources.
- Monitor Outbound Traffic: Watch for high-volume data transfers to anonymous public file-sharing websites.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
