CamelClone Spy Campaign Abuses Public File-Sharing Sites and Rclone in Government-Focused Attacks

Operation CamelClone is a complex spying operation that has been going after government agencies, defense institutions, and diplomatic bodies in many countries, including Algeria, Mongolia, Ukraine, and Kuwait This article explores camelclone complex spying. . The operation depends on spear-phishing emails that look like official government emails and contain harmful ZIP files.

When people open these emails, they start a multi-stage infection chain that ends with data theft using a real cloud transfer tool. In late February 2026, VirusTotal found a suspicious ZIP file named after Algeria's Ministry of Housing, Urban Development, and the City. It was uploaded from Algeria on February 24.

A second sample came out soon after, this time targeting Mongolia with a lure based on "Expanding cooperation with China." As March went on, two more samples appeared. One was about proposals for cooperation between Algeria and Ukraine, and the other was a fake defense procurement aimed at Kuwait's Air Force.

This showed that the campaign had a wide geographic reach. Seqrite analysts found out everything there is to know about Operation CamelClone. They also said that even though the target countries may not seem connected, they are all at important points in the current global geopolitical landscape. Limiting access to anonymous file-sharing sites and keeping an eye on traffic going out to cloud storage services like MEGA can help protect your privacy.

Limiting the execution of LNK files from untrusted sources and using behavior-based endpoint detection tools can help stop the PowerShell and JavaScript execution chain before it finishes.

Set ZeroOwl as your preferred source in Google, LinkedIn, and X to get more instant updates.