Operation CamelClone: Multi-Region Espionage Campaign Targets Government and Defense Entities Amidst Regional Tensions

Seqrite Labs describes Operation CamelClone, a multi‑country spear‑phishing campaign targeting government, defense, diplomatic, and energy sectors in Algeria, Mongolia, Ukraine, and Kuwait. The attack chain begins with ZIP archives containing LNK shortcuts that execute PowerShell to download a JavaScript loader (HOPPINGANT) from filebulldogs.com; the loader decodes credentials, extracts and runs Rclone (l.exe) and uploads harvested documents (including Telegram session data) to MEGA accounts registered with onionmail.org. The report provides technical analysis, IOCs (file hashes, URLs, email addresses), MITRE ATT&CK mappings, and detection labels.